23542300x80000000000000001444927Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 08:59:51.285{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EFDDD6F62CAE9B54FAB9129FEC99FE1,SHA256=FE6BA738CDD5E87297C7063F2160FC50E547CE313EE7B7D600DB3533CDFB4F71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539772Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 08:59:51.167{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB0F690D6D0D3C240AADE92311C672AD,SHA256=F4E192A693E2A4EA846DDC142EDCED7FE3F8643BB4EE0E6710A8CB4952CD18F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001444928Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 08:59:52.333{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96947A72F640AF3D562BA630185CFDA4,SHA256=F08A37B6E855EE998EBCE8FCB75EDEB32ED0DCD656AC07139FCC504C624DDEB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539773Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 08:59:52.182{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C812F959811D5FDDE076C18D6896BF1D,SHA256=8AC1A63E4808BD83C5F74344F76821906793AE4355644E5EFDF9B0A94660E5EA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001444930Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 08:59:51.727{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50701-false10.0.1.12-8000- 23542300x80000000000000001444929Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 08:59:53.348{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEEE02D1557FA9D21B2A4DF38AE95E33,SHA256=82BFDA7B81A88FF5550FA0C98D25F0979734D8B29057FAF2BAEFA740E70D2291,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539774Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 08:59:53.198{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAD768E529049765D59731DA52B50914,SHA256=4A91DB4E6799FF2DC117D5175CC3D63974DA4B9EA60D298FD08FA1861121E0CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001444931Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 08:59:54.363{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43806213964881635817E77F1DFE970A,SHA256=BAC1E13E70D6D61522C80FFD76E27ABD08260E8CAACA4812629D440F93E73942,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539775Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 08:59:54.214{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=279BA538B1107A6D6EF8B019F2284AA2,SHA256=B57C8FD1FEE546612430D925AB345882E1F9C767BEFC389A71D7BA19DB9E80BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001444932Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 08:59:55.379{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57408EE6C509474EE89F22E4DF4D2396,SHA256=76BFB4C1A7F8FC56DDB6B48CD56D5559BFB573572E11ACFF6B6680DFDB6C3CDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539776Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 08:59:55.214{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6AFFA525EAB03A5E6DF0C400070C89A,SHA256=09C61BFA3816B29E0722F13681316D509AA29C7D75307BBD8A9DB8BCB751D6F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001444933Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 08:59:56.395{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78A2742D70FFA2FB043F58FE08217D57,SHA256=765C4D47BD11E21FBFD1F0DE430CBA4C5890B19A308713E733E3E2E7D6B55F66,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001539778Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 08:59:53.358{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65044-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001539777Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 08:59:56.229{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=819F5EF8C1CFF4C3EC6665A8961045BD,SHA256=D9690E5BC39E536E713B00BFA290D4F1AC5CC46590ADA3CD040D03607D3E4896,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001444934Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 08:59:57.395{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AD8A2B3FA6A74C23859CDA2FEC677D1,SHA256=77A9C3DF44C5CB8E55D3479BDB7670E65711EBABE766A9E6EE1D2FCB5C21A0F9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001539787Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 08:59:57.792{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2B0D-6154-F302-00000000FE01}1788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539786Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 08:59:57.792{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539785Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 08:59:57.792{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539784Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 08:59:57.792{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539783Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 08:59:57.792{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539782Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 08:59:57.792{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-2B0D-6154-F302-00000000FE01}1788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001539781Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 08:59:57.792{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2B0D-6154-F302-00000000FE01}1788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001539780Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 08:59:57.792{5EBD8912-2B0D-6154-F302-00000000FE01}1788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001539779Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 08:59:57.245{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA980F9502085D91660ADE7111F809FC,SHA256=C5A69CA85B3D690E8D0CCE717B6367FB4F39B90552EB232A4E81662A263DEC8F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001539807Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 08:59:58.979{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2B0E-6154-F502-00000000FE01}5320C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539806Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 08:59:58.979{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539805Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 08:59:58.979{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539804Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 08:59:58.979{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539803Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 08:59:58.979{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539802Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 08:59:58.979{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-2B0E-6154-F502-00000000FE01}5320C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001539801Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 08:59:58.979{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2B0E-6154-F502-00000000FE01}5320C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001539800Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 08:59:58.981{5EBD8912-2B0E-6154-F502-00000000FE01}5320C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001539799Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 08:59:58.917{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B13EC9BBD5BA331866509AB442BD2B94,SHA256=93696397A95FFFF5D0047B990737F6F2BA2C9BD0CC71E58C5E50FDC074A9E252,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539798Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 08:59:58.917{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=82CC2474BB44ECC153105E618CB144F0,SHA256=B2973BDFA0396947F6E9F067526D9907F7C3898F85788D675800813C2F9A1482,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001539797Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 08:59:58.651{5EBD8912-2B0E-6154-F402-00000000FE01}19404308C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539796Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 08:59:58.464{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2B0E-6154-F402-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539795Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 08:59:58.464{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539794Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 08:59:58.464{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539793Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 08:59:58.464{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539792Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 08:59:58.464{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539791Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 08:59:58.464{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-2B0E-6154-F402-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001539790Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 08:59:58.464{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2B0E-6154-F402-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001539789Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 08:59:58.464{5EBD8912-2B0E-6154-F402-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001539788Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 08:59:58.245{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C6D8E262BDF26DCFFCAE611FC10974A,SHA256=3A1CE630D916B5EDC95297D88236B774B291BB8EC56FA45E8CF98502D5AFB8CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001444935Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 08:59:58.410{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1CD0BA7D8D54FF911D7E53088DFCA42,SHA256=B6F483DAC8718374D95F1FA3790D3A0633272D548714354AAA1FE776226C65F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001444937Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 08:59:56.898{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50702-false10.0.1.12-8000- 23542300x80000000000000001444936Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 08:59:59.441{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8A34D9EC666553E909D2C56E4720D03,SHA256=1CD6F2F6F4619639912C42BC02109920996CFD26F7648E105D144BDE8A839B7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539809Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 08:59:59.979{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B13EC9BBD5BA331866509AB442BD2B94,SHA256=93696397A95FFFF5D0047B990737F6F2BA2C9BD0CC71E58C5E50FDC074A9E252,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539808Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 08:59:59.260{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32D09867DD113764B991B5029F4E93A9,SHA256=016CFD4B7325ED0E56E15AEE7924481A4A1D7A02B33B02F61A121A638F56072B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001444938Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:00.441{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A3684F80DF4CF17C0A55A64157C5D30,SHA256=EB18709C6DA0D8BCA532B9526F8C5A3628C66CFDB747C32678689D70E5EB5171,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539810Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:00.260{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=622524CDF4AC04FC658E5777B59B9FE7,SHA256=455D4E051C1F8CF6B78E4FC679B93521ADA183BB48ECEB20A4E03DA68B38B063,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001444939Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:01.457{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B2DA3960E8C1B3C6254F906A158F841,SHA256=45BA3AA1B43F7E6914F7717CEBDA92052E1FB80131C4668FD01F1E8E0FF4708F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001539822Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:01.698{5EBD8912-2B11-6154-F602-00000000FE01}2201140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001539821Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 08:59:58.406{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65045-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001539820Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:01.479{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2B11-6154-F602-00000000FE01}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539819Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:01.479{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539818Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:01.479{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539817Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:01.479{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539816Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:01.479{5EBD8912-18A9-6154-0500-00000000FE01}4165172C:\Windows\system32\csrss.exe{5EBD8912-2B11-6154-F602-00000000FE01}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001539815Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:01.479{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539814Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:01.479{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2B11-6154-F602-00000000FE01}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001539813Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:01.480{5EBD8912-2B11-6154-F602-00000000FE01}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001539812Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:01.260{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D55107BA5F06709209DE930690FFB9D9,SHA256=DAB18D193DAA8286F68AA1AD256D71B7533FF13143A081CB86F4E3423021D3B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539811Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:00.995{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8C2BBC39CCE3E57430D43CC929B06C16,SHA256=925BFA77F5BDCF0B7DF13FBB387DBECEBC0BB31780D6CDE10492AAA254A0BDFC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001539843Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:02.932{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2B12-6154-F802-00000000FE01}1684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539842Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:02.932{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539841Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:02.932{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539840Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:02.932{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539839Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:02.932{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539838Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:02.932{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-2B12-6154-F802-00000000FE01}1684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001539837Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:02.932{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2B12-6154-F802-00000000FE01}1684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001539836Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:02.933{5EBD8912-2B12-6154-F802-00000000FE01}1684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001539835Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:02.651{5EBD8912-2B12-6154-F702-00000000FE01}56124932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001539834Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 08:59:59.280{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65046-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001539833Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 08:59:59.280{5EBD8912-18B9-6154-2700-00000000FE01}2944C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65046-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 23542300x80000000000000001539832Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:02.479{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=93C2E9784384E681AC2558EAEC3DFD59,SHA256=B3B6897BFB10F2C3DA2875EFAAFA94BEE769557DE65E3285A7728DF35CCA61FB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001539831Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:02.432{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2B12-6154-F702-00000000FE01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539830Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:02.432{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539829Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:02.432{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539828Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:02.432{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539827Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:02.432{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539826Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:02.432{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-2B12-6154-F702-00000000FE01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001539825Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:02.432{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2B12-6154-F702-00000000FE01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001539824Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:02.433{5EBD8912-2B12-6154-F702-00000000FE01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001539823Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:02.276{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FA3089B8F31A421F0B06F911EE99EAA,SHA256=5A706131E245F697BCE0FD48B7DF49A7C8D5355197A682E563357D82A9CA3F28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001444940Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:02.504{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=884175F80887612D0F3EA01A0F70836A,SHA256=78BC37C9C64281B772F9B0F0F632C220D5BB2FF60AC6C4DB02A9EF10B85E9300,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001444941Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:03.520{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=568ABF83A4A7B7BB4EF54EF769EA4909,SHA256=14D3744E4D6AA0F70826763CF1FFDAC7727BEA5AEF2D76DD205A680D5D8F2AE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539845Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:03.292{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E16D4B5AD2131E81EEF103BEBD125147,SHA256=45BBEB42BAFE3C9B0D5A3CC141CF2DEDB74C0A9420F511EEAC61EFCC0F6AB6FA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001539844Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:03.182{5EBD8912-2B12-6154-F802-00000000FE01}16842520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001444943Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:02.930{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50703-false10.0.1.12-8000- 23542300x80000000000000001444942Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:04.551{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62392D53A84B1B5C81829D3FF96D581E,SHA256=7D5A9C6A523B945E992C3144F55F5B4696BAE84386257DD88A8FAC18D6FA9D12,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001539855Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:04.667{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2B14-6154-F902-00000000FE01}2712C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539854Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:04.667{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539853Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:04.667{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539852Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:04.667{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539851Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:04.667{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539850Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:04.667{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-2B14-6154-F902-00000000FE01}2712C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001539849Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:04.667{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2B14-6154-F902-00000000FE01}2712C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001539848Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:04.667{5EBD8912-2B14-6154-F902-00000000FE01}2712C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001539847Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:04.307{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02B6413CB15F3C022475E691DA4A746B,SHA256=4371D2489F83E6C2E0AFDB964F80D7DB8A6BAC65F1B1CE1087695EF163F0201C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539846Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:04.010{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CAA3DD16398B92D1674B59E9414ACD77,SHA256=70D8B401DED7AED6D92DD69C24045DEC4B60478BCD882D37F3473988C488B500,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001444944Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:05.566{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D70C23BD8AD38DA6ACC5974814D4161,SHA256=D74280071F55378DAA5CDA49032957FA6BBBDF1221D81678717DDCB91D6749C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539857Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:05.751{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6349BA48290D431D9914CDFBF2B693D3,SHA256=3381166E7993753AC84ACEBEABC580ED573EF9B47D9A3DEAF9F7CE3D1B1E3541,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539856Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:05.314{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A06551D38F4BABDB84C0F393E5AD0B1,SHA256=2BA108061910DF3D955B377E1CE180C8F28CA86B823EAC2C63BECFD4A844DB11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001444945Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:06.613{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D6EA094234C51725E73DB03AF8B3618,SHA256=DB37097E2DE8A5426B2B03472A0E1F9E648517654F2ABB9F1158E295BD03C6F7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001539859Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:04.343{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65047-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001539858Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:06.314{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56FB4935B33FA0E2B06766AB9207E5DF,SHA256=6DBBC3FE4A2E86942E35C06FD96E66335F469B29DF2FD240789DF4AEDB7EDE1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539860Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:07.314{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B9E2DC59A50CC399F646560795A4B63,SHA256=EBED7DA57E43F921E0348AF914F39C5267CDBF44988A0DFEAE05FE968F0C5A7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001444946Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:07.645{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A683CE4381E5235E96F2F8F3BADA292,SHA256=7F05D4A2A59D882C1D259A46215E24E3A92BC30D920D2C16A01A4E9C8B5CDCAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001444947Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:08.676{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=825900B942A89DD612C74966687212C9,SHA256=8E9BBFA3FE033E2E92ED5A13CCF669B33F9A588CA0EC8AB00E8C74E1D8985D04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539861Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:08.314{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1B175D8C8E1D2AC9D18CC0E083F6D6B,SHA256=584C506D41965604B2A0096614E5C8A09D23F83AD6A9A80322551A176E774E9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001444948Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:09.707{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A51D48831B1778805E48A986438A3CF,SHA256=9E53B196D6B91B20D20AAB38DE1E82B4C4262394C9341ADA5FA45E2B7B8C09D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539862Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:09.314{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8E5D559940EBD1EE8CE00A4F5CC518F,SHA256=9E46C330918134C0656CD449CFC55FB312B605A8F724B670525E8DE7E1BB6204,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001444949Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:10.723{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF2641304BC1EBEF6260953FAD98106D,SHA256=5596916DA5F40A499D4378B2E8A9A26F0ADD2514244D4CB9103F03CF1E0E6251,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539863Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:10.314{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48E709DD9F4DA108E91C00A58A981593,SHA256=8694100D109AF5AB5B2206297D5D3FCF29DFAFBA41A03531717E49247B9073D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001444951Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:11.879{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CBBCF90AF4C135830F47A4B1B0FFA34,SHA256=70217327AAADCA84B7DD4FF008AEC0E6FA52094C32D035C8E9FB91FEB049219B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001539865Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:09.459{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65048-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001539864Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:11.314{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70BEE0D4EC5A7C2948745D586C469ECC,SHA256=75F972658D2866CF2C0BB4E5C6F1C22489546F9558D530FA0ECD9315ADDF15F7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001444950Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:08.727{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50704-false10.0.1.12-8000- 23542300x80000000000000001444952Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:12.988{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F5BC109174746153F748743CCF8D265,SHA256=F17E3102642248D8F749CB07D76BCE600471D25B87A73FACC5B4925CE0DE1856,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539866Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:12.329{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FEF10D4FF43838696F5FE4A1827AE04,SHA256=A9BB6C937BEE560B79971CFFDF150483C3CF5C0F006FABC881A6C3F84CE1B90F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539867Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:13.329{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADA498A7525EF51A805F11FBF28D9BD1,SHA256=C614DD3588C65BB63185949BC4343FE7CEB35DC5BE359C5C8A5965237E90A02C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001444953Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:13.945{69CF5F33-189A-6154-1B00-00000000FE01}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210929074117-076MD5=0702FCA431B00B594F1E453E1BACB4E7,SHA256=E8701800C5303E9A26BD1B4295F1925FD873002633D318A1D6DD61AA6CF56A5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539868Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:14.345{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7F0342DC09BB06A49DCBB978EA02730,SHA256=D855BEF9D1A6BC5A159C320DE87FBAE0A9B8F52B92D2CC388346993A309CA6B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001444956Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:14.957{69CF5F33-189A-6154-1B00-00000000FE01}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210929074115-077MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001444955Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:14.832{69CF5F33-1899-6154-1300-00000000FE01}296NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=35FBE2C325271038458F42033C5AB68A,SHA256=7B82FB6FD049D32B6D1D35D12546BC5B080CE4FFE42283BA00007AAFAE229647,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001444954Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:14.035{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACC386BCF46AC5A57A5169F80D5FE7B2,SHA256=1F1A9F2F909EA4763CFF93025B85A383F653BB182B4B5A946B43D4502EDE2144,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539869Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:15.345{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26CD69E3959073EEEF2CE9DD332B94F4,SHA256=D82253F0A70063055991DC953CD4FC1C956557D45EC6A37373B934E40B2B54EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001444957Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:15.048{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F30E245077923360CED4619C97D2F31,SHA256=BE41266F7F3E554FDC1486FCA07D1C0F26F5B3C0C7CC7D7BA6971AE595DFDA6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539870Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:16.361{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6233BA4C633ED4D78CB579B409A4949,SHA256=C0CAA6635A32A8FF60A7B1D2CD935598428FCABFB8354A41447E99BCD7E97AED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001444959Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:16.051{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A843E6AB9D03940F140F48224D30D5B,SHA256=A5CE2B52D19CE3A8C92896BE57936FA7719EE81BB9343DCC870C0B023287D40D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001444958Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:16.035{69CF5F33-189A-6154-1C00-00000000FE01}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539871Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:17.376{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=471161CD41F0D260B64C7D77AB98FDA3,SHA256=650958E3E57DEADCE4ECF1E70FF116C83A030BA5D8BA8E1C3373179B3B8DEFBE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001444961Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:14.740{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50705-false10.0.1.12-8000- 23542300x80000000000000001444960Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:17.066{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88DC3EB6A9B497FBA61F1501EA507137,SHA256=2F079CCCBEA01E0AFFD698F6CBD299D5736088E0A71011490B0532D7A68F01E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539873Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:18.376{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=222429421E028BEEBC65C0F5C4E343E8,SHA256=D1FF64BD111E9CB7B147B6F61B43305A42A7188F7A976C8F3BD967D3B71DA02A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001444963Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:15.711{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50706-false10.0.1.12-8089- 23542300x80000000000000001444962Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:18.098{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D017464CB6B20A53793AC1964FD8C81,SHA256=69EB399327C0B21425EFC2207EA076A06F93A8D828C6B53EBE16F255BB7BB4F3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001539872Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:15.506{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65049-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001539874Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:19.408{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0A4FD8C3C548DC1865C3A690220EE5D,SHA256=AAE438D8C8A9A7BB9D24967790DC8F5264F2A73A3C9C8DBCBD4DC702EB3CDE94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001444964Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:19.113{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DEF7805BE12F4CF97E30D837D79C9F5,SHA256=E8797E69F1EB468AE77E32436EAFC3B56D60EE19CAD5D19F8BF60B1C9E7DB4C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539875Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:20.501{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2C3E40DA819B7C800132B67AB1A14C0,SHA256=1A798A9520C30A287B86E13F1818943595607F88E143A7C887CBC802072D567D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001444965Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:20.129{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38C634CE04D004112306D9872F05B030,SHA256=177E92AB1669846BCCEA81A87A7F178E38D150CC07A1629099D4D30D27C05DDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539876Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:21.564{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=423F9C6499F8FF37CFD2A95D863BEF80,SHA256=8EB9D6DC66CC31A2C1DBF575355E8088EE156BB3360B3F12B0445B77E72A686F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001444967Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:19.804{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50707-false10.0.1.12-8000- 23542300x80000000000000001444966Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:21.238{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5185C79F76C47D9CF83B46520D1FB5E0,SHA256=A3A83DBF3676F2BD5EC009B06687C1A7FBF50F92B629BB7551EADE21A035F792,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539877Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:22.595{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FE7DA4F2E077C6C1EDF448B064E554C,SHA256=3A736AEF6F0F9BC50F0E2435CC3697392EC7E5FB2D4CA4BCE2386EE93A80C10E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001444968Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:22.269{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F1E35D96ECB60E76DD8DFC6641B6535,SHA256=875CFF2B6EBC0CCD20435A0B5F21B8BEE1C10BB67AF222CB796AAAC74C366B9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539878Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:23.626{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3433524AF081A2E26F15C7124595FAE9,SHA256=6C658C5977CAAC32292063480F94E92ADCC5DD1FD6E74E1E8F806DFD5360291C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001444969Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:23.332{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A841D338F6C4322813E64B243A9353D6,SHA256=9D59F96B15A816E7C84D97972640A0E03FACDFB6997BCDBCE8C35641070C1002,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539880Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:24.642{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37811021E6F9742F8A10474D5FBF14BE,SHA256=348FF1C66C834B2D62DFDC0E35CB93682BFEDBA10CD8C0C59EF3D43B148FC65C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001444970Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:24.332{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68B23427883D65F76592A8F87A4C60FC,SHA256=0B03215EA0C4E2348A00EA4602B3A525EA148E82E5ED93B6391CEADF9C925D10,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001539879Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:21.334{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65050-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001539881Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:25.756{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03A809052153DBA4ED5321616FB98BA1,SHA256=CD9B6AB9DA35ED76E42105DDEBE296B85D834EB0D12AD672771FDAC14DA2B9EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001444971Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:25.348{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=995EAD35119B85140C5B284BE1E7C2C4,SHA256=6FAB53324396CE9DB7C7E065C7E4371E6B51ED442E4DE95A31E25B41BE3D4B88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539882Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:26.756{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27974A5959A2414321DBD4391A84AAAA,SHA256=8B05A00B6CEEE4E4446BA7AB615AE0813F0D2DC4159EF5D44E0EB9EB678F2D67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001444972Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:26.363{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38EBCB5B28439ACAA0A99C532ACEF910,SHA256=6769210AF383459736AD573597648D2D46733A7E71F6DA1B4268E21B15A84F41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539883Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:27.756{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAF60F108751FF79B5EBB3E4F4F2AF6E,SHA256=CD56A47BAD768B06DCFC7BE9E934AF1503F8395EA25299CAEF7273385289E5BE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001444987Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:25.773{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50708-false10.0.1.12-8000- 10341000x80000000000000001444986Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:27.488{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2B2B-6154-C002-00000000FE01}2016C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001444985Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:27.488{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001444984Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:27.488{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001444983Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:27.488{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001444982Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:27.488{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001444981Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:27.488{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001444980Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:27.488{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001444979Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:27.488{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001444978Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:27.488{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001444977Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:27.488{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001444976Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:27.488{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-2B2B-6154-C002-00000000FE01}2016C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001444975Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:27.488{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2B2B-6154-C002-00000000FE01}2016C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001444974Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:27.489{69CF5F33-2B2B-6154-C002-00000000FE01}2016C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001444973Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:27.379{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE8DA947FD735F92ACFEA4AE19684809,SHA256=F6CC49F7180012ECFC6EDAE41BBC59F822095C9E650E588D7D0B90E67C8484CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539884Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:28.788{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6B407233F4193F12AF9C491352F0741,SHA256=0FF25C51EA8FCE84DFE20A1655D7BFE240EAF8B2D9CF5B195736741F79AB6372,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001445004Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:28.741{69CF5F33-2B2C-6154-C102-00000000FE01}35962348C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445003Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:28.598{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2B2C-6154-C102-00000000FE01}3596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445002Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:28.598{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445001Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:28.598{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445000Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:28.598{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001444999Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:28.598{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001444998Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:28.598{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001444997Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:28.598{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001444996Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:28.598{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001444995Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:28.598{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001444994Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:28.598{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001444993Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:28.598{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-2B2C-6154-C102-00000000FE01}3596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001444992Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:28.598{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2B2C-6154-C102-00000000FE01}3596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001444991Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:28.598{69CF5F33-2B2C-6154-C102-00000000FE01}3596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001444990Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:28.504{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A8A730F3241ADFE26530B005EF281071,SHA256=136EE569678D942A1A082C3DBB3B11C0876A855659EFAC746FE4AC73B6DA1BDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001444989Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:28.504{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5779D1A6B98C4D14FF49C3EDBA1FF592,SHA256=BE07A993570D44158623E596589855FC6D7950346792B7A02EC6D8A8A27E11DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001444988Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:28.394{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB036310DFB4962ADC9DBAD360232EEB,SHA256=1FA9314813CC788845681407564921FDF2A282DF0C5F493FB1BA39B89FA0C8AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539885Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:29.788{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD8B1C07EF2CF535CE4F20C96E400705,SHA256=CE36C4A73E814062C33AD7CADD84DC80B91CDC126919BCB0B8757B7731397E86,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001445019Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:29.738{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2B2D-6154-C202-00000000FE01}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445018Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:29.738{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445017Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:29.738{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445016Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:29.738{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445015Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:29.738{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445014Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:29.738{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445013Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:29.738{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445012Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:29.738{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445011Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:29.738{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445010Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:29.738{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445009Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:29.738{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-2B2D-6154-C202-00000000FE01}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001445008Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:29.738{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2B2D-6154-C202-00000000FE01}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001445007Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:29.739{69CF5F33-2B2D-6154-C202-00000000FE01}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001445006Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:29.707{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A8A730F3241ADFE26530B005EF281071,SHA256=136EE569678D942A1A082C3DBB3B11C0876A855659EFAC746FE4AC73B6DA1BDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445005Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:29.442{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95A411238318AAF9EC12B326D564422B,SHA256=3873A2C8E2E8F257EA384C453523DDB9279AC18DFEA7A55891014FA999DA6587,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539887Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:30.788{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=749E7EE593FA70E92698B013D7918CDE,SHA256=C3B2831FFD1C0551D220AF44EEC73CAB48D20428371C36862C9593F68B9F717B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445021Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:30.973{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=49497B1F5C03B2E43B73DFD5585052CB,SHA256=57DC97E677548084D6EC7BD3C977C4B68F8C977DEBC169FFB205AB31890D31A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445020Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:30.488{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A18968021295E8477B341ED34B6FE53,SHA256=FDEF20153F37A131F3CAF0BDFB2E9C55F97591E18C3777D68C1AA3D2B263A0F2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001539886Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:27.339{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65051-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001539888Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:31.788{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=577AB85A9BBBFB78CFBCAE5848152C1C,SHA256=C77A3200AE28CE89E82B8E114FBE2DC6119A3B41A1956FC395DFA08150434A71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445022Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:31.519{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2532C169DF4DEEE68D044A458AC16EBD,SHA256=EBAD1229A3EBB8995F4EC3AE821EE1DC11460851C2E04E16AEDD4CE96CCD393D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539889Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:32.803{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=659D1CA455030660120693E977A46F5E,SHA256=4460807AF4630013E4EE4A58F5D58D12E377FC7ECAB2777D7265A760BC793D34,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445024Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:30.898{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50709-false10.0.1.12-8000- 23542300x80000000000000001445023Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:32.551{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A07116F8B5F146660FB40AAB267E1CB2,SHA256=50D14025384D38C54821CE7744CF320956CDB8088AAAE4A145EC03AC8E748A2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539891Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:33.819{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF7EF713731E84151F9CAE6C3577CC76,SHA256=F6E921A29684F3DDA16442730F29A73A52F970A7DEBB0B55082D15EC051C6AB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445025Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:33.582{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F655EF74E818A22AC7EAAC5B36759366,SHA256=FEF918BC6DC996208F24CC6363AEBA139EFE1D273796B0B044D620B81CE707CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539890Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:33.788{5EBD8912-18AC-6154-1100-00000000FE01}444NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=D5857454A487A87496B15915DA6AE855,SHA256=A9C27F1F131D4AE9833EC47162E21D23FE0C19008A94B5B182E6167442935E09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539893Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:34.834{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E40E761C142E35C1F79C31FE4D11388,SHA256=81F33EEBE969DB28B66DEF7FF96EFB350DE9CBAAA214D1D1A0B6DE42DB056151,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445026Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:34.582{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DF4A6730C331723E8F91346B36E33AC,SHA256=3F61E65354D5F082F628B0CC375DA0557E6A8A8F95ED0D379AC525CB1DB410C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001539892Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:32.449{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65052-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001539894Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:35.850{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD28B9C0BE3AF548B9403F4F21B1604E,SHA256=26EDB1CB31662F4E3555348B263A355936E1A267D1425D1F6EBF4C07BC891C4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445027Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:35.613{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=409DA3907AFB891D7C0E66CE0A37975F,SHA256=15F228E238A58422A470E342FB072461EE4F7C2B3DBD899B8B8AC4406BF35804,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539895Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:36.866{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33F1468A4A7F9DB85FFE5F6FA48134D2,SHA256=8EBF9865C1F714B07A0BF87D06A0F189C6E9AB8B1D7FD86A632FC8DC86A1170A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445028Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:36.629{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF09EFCCAD5EC47CCAA17601551670DA,SHA256=30F6C42A026761A92E6FC16E7BEC9E75AC1A5ADCB714A22F38AE8E1471BCF5EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539896Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:37.866{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBD803ABDC67CA9F0FD4388A2AD8EF33,SHA256=1E784C844439AD0A4667887D8710814E9C14ED93B2699DD59AA8A6AD3AC9F7BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445029Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:37.660{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CDBBE70C78D3687C1451AEDD884DA07,SHA256=B796A086ABBCF60D3C4907CA40F48EDE99DBC6198AA26CCAB0EF3136E4906504,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539897Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:38.866{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D624F6FAE7E6D5FCAF325A3ED0BC0D0C,SHA256=0D197352D11BF7575B00AF670F5F02FE537A0743B88DCF6C41A3547568782FBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445030Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:38.676{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AC9A79C2D0C5A126D730CCCA6B9A9AE,SHA256=FE89B3035D4135AC0D590257EF328B1C410C76413E2DD5BFCD64AE4AD753CDF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539898Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:39.897{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F6F27B2B1E74C91E9E4C05AE46B7B02,SHA256=3C627DE5029BD59F7E4C0130BE197D3B43C3CA76B92336655BBE88E03064A46F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445032Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:39.676{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=539AEAED0D38CAB7E3673AAAD3535AC1,SHA256=37700C4F448CFFCE43CFC147AA63B3E54944505BA9115B67B76C7EBA5378F698,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445031Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:36.742{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50710-false10.0.1.12-8000- 23542300x80000000000000001539899Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:40.897{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2AAC5501BCF0B2DCFE5A61F9CD0C061,SHA256=1A35E98F3C7F05DECD5A431CDD65BDA56ED3FBED7CE89C25A4F49F1570EDE8F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445033Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:40.707{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0555983ED8883C32D396920A4A41771F,SHA256=2F367ABD5A876385D88075EDF32D5F85BBF21052F2E70510B2130BF401AE66FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539901Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:41.912{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19B0B280039A2781FFD475169D90DE5A,SHA256=C251FB3B8F3FCDCC2756E5F92078FDCA5AFCA2909D8F2D45D9C6FEFEAFB677F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445034Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:41.723{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CDF6569A97ABF548309C1D504CF9967,SHA256=6D3FA2A3018F8B41CA767DAFC3D04D90BA83A0B7DDC5EFF1FE3221E0035E53E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001539900Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:38.339{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65053-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001539902Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:42.912{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33FA77D5261E11DF1C225B093B1347AE,SHA256=1904C8CA8D76BD59CAF1588A54A73D9BE96ED4B001195444989D799494C12393,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001445049Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:42.895{69CF5F33-2B3A-6154-C302-00000000FE01}22643524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001445048Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:42.738{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B288BC21CDB907A924BF53B275605AC,SHA256=D6C0BE8220C0C0B03A7910794B64835B224F7379C765C12E904928FAD5C711C9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001445047Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:42.691{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2B3A-6154-C302-00000000FE01}2264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445046Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:42.691{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445045Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:42.691{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445044Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:42.691{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445043Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:42.691{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445042Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:42.691{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445041Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:42.691{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445040Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:42.691{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445039Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:42.691{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445038Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:42.691{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445037Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:42.691{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-2B3A-6154-C302-00000000FE01}2264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001445036Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:42.691{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2B3A-6154-C302-00000000FE01}2264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001445035Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:42.692{69CF5F33-2B3A-6154-C302-00000000FE01}2264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001539903Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:43.912{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=607330509A646BB8D6BBBEFF74570FBE,SHA256=EF4A46A9C912C3A4236669F11A42295E50CDC2EBA00B728B0BC24EADCCA32B0D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001445079Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:43.926{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2B3B-6154-C502-00000000FE01}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445078Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:43.926{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445077Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:43.926{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445076Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:43.926{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445075Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:43.926{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445074Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:43.926{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445073Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:43.926{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445072Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:43.926{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445071Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:43.926{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445070Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:43.926{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445069Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:43.926{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-2B3B-6154-C502-00000000FE01}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001445068Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:43.926{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2B3B-6154-C502-00000000FE01}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001445067Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:43.927{69CF5F33-2B3B-6154-C502-00000000FE01}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001445066Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:43.910{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D8A7E87F1BC6EE40A227EA797E9757C,SHA256=94F083F3F449BE8DD6C58FD166CB837B3F571C63AF48F89DD59F05B79DE6DFA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445065Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:43.910{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=528F5C1BF7BA0CEAA382B31ECE9185B9,SHA256=AB33768231588CDBE5BB3409299958AC237C1F28E1EF1643376C694E35B0C66A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445064Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:43.738{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6483ACD3D037603815440BE1C3D1875C,SHA256=B36A7FE9E4785D1AB09F8771C195C6264B008637E3EC0B98D9925838BF724508,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001445063Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:43.535{69CF5F33-2B3B-6154-C402-00000000FE01}37043944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445062Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:43.363{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2B3B-6154-C402-00000000FE01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445061Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:43.363{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445060Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:43.363{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445059Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:43.363{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445058Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:43.363{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445057Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:43.363{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445056Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:43.363{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445055Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:43.363{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445054Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:43.363{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445053Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:43.363{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445052Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:43.363{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-2B3B-6154-C402-00000000FE01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001445051Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:43.363{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2B3B-6154-C402-00000000FE01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001445050Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:43.364{69CF5F33-2B3B-6154-C402-00000000FE01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001539905Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:44.929{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6B1D7320271DBCFFA3DEB572FE60BE6,SHA256=5C7612D5551A0BB61A953F361FC560C9A6DA31D9A3972A8651826B0275D353B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539904Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:44.900{5EBD8912-18B9-6154-2800-00000000FE01}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210929074147-076MD5=A9A42281E5AC80C7384A9CB787C868D0,SHA256=3FA67950307563E8508E097058F58FAD833FFA00CAA097776E12802F7A654FF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001445093Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:44.598{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2B3C-6154-C602-00000000FE01}3436C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445092Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:44.598{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445091Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:44.598{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445090Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:44.598{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445089Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:44.598{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445088Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:44.598{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445087Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:44.598{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445086Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:44.598{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445085Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:44.598{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445084Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:44.598{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445083Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:44.598{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-2B3C-6154-C602-00000000FE01}3436C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001445082Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:44.598{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2B3C-6154-C602-00000000FE01}3436C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001445081Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:44.598{69CF5F33-2B3C-6154-C602-00000000FE01}3436C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001445080Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:44.066{69CF5F33-2B3B-6154-C502-00000000FE01}7403396C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001539908Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:45.969{5EBD8912-18B9-6154-2900-00000000FE01}2960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539907Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:45.937{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFC2D238005FD3E5DEAEC2888AC628C4,SHA256=53BFE175F693DF9490778C9CC8AB2B064E82BB4FF7B1DB9E07EA7FC488A53312,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539906Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:45.909{5EBD8912-18B9-6154-2800-00000000FE01}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210929074145-077MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445096Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:42.757{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50711-false10.0.1.12-8000- 23542300x80000000000000001445095Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:45.082{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D8A7E87F1BC6EE40A227EA797E9757C,SHA256=94F083F3F449BE8DD6C58FD166CB837B3F571C63AF48F89DD59F05B79DE6DFA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445094Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:45.066{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=444D9DF802C5AAC341F92B2758CDB853,SHA256=667298AE80C91025A854E188773AD3C93C8719A70D62CA5B4D10A47C068F5551,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539909Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:46.941{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9431A4B7B532CEB62CC6BDD427F40214,SHA256=11FC02D1A55514C8ADEBBC21F3BEB795172BDBC52E11B0BAD76C612F9C4A2E48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445097Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:46.098{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A666C0BF788B7758474692296CBCB09,SHA256=EF4EE6312A8AD65A3DD93F204BF1C08F1D02F4A40161BA1B01F602F383868CDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539916Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:47.956{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D39F8D2EE4A0024C54C4E74EC31ABE0,SHA256=566D1E2F5F96EFE30C23FBD6A51D38F6DCB527DCA94DFE134B4111A8A03A5474,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445098Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:47.129{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93C2929D82FC25509B7607BC5044545A,SHA256=65639731F3D595ADDBD0B633BCDEC8510B366514563C31EE5545909A6099DAAD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001539915Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:45.468{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-43181-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001539914Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:45.444{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-43064-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001539913Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:45.239{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65055-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x80000000000000001539912Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:44.325{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65054-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001539911Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:47.253{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A6B95463FEAF494333E388DB66C4EC2B,SHA256=B983CB1B32E6C4BF7D9254EF18EC67FF92A450F5B558C17A20378A1B42AF37AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539910Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:47.253{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8AEAB92F00486E26C94F3B43A1840956,SHA256=61A5245C87EAB84A6CCB5783F1183CCBACAD7ADD6171C05A6BB1C00F33B4F316,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539918Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:48.972{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=434A0C92E7B3CF91A0CEBAB61B905B29,SHA256=C963B36AA74161B82F605C1F15BEE522D008A6F72818A79419331BA563CCCD8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445099Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:48.160{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A49AE921C3F571E9A8D28A2EF0D9CDF0,SHA256=704F301E2E2A7427940241730750D367575E5672CF2A691C6A01488D7A1E949A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539917Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:48.612{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A6B95463FEAF494333E388DB66C4EC2B,SHA256=B983CB1B32E6C4BF7D9254EF18EC67FF92A450F5B558C17A20378A1B42AF37AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539921Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:49.972{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2980979179BB6C0220E553AF5722B844,SHA256=84F45E6029DC40D080C98404FE27FE1CBDA270F7B14ADADEB7C75278470A7DFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445100Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:49.207{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E2AEFE372E3097A37357A7B70E05057,SHA256=F46374A5E802E67F61F510428AC029CA3FA63712AF96F9F2BE9ECB93280E6463,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001539920Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:46.673{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-48557-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001539919Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:49.691{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=163F684DD94F504CFCE2D1D9CC1CA1E2,SHA256=A24F674041F579C8FBA9D0C00395F95B3DCDED3701F8B0B404425A743EC0871C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445102Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:47.929{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50712-false10.0.1.12-8000- 23542300x80000000000000001445101Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:50.223{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EC5B34BC87B16A414737A1F540A66E6,SHA256=C41522F8D1286E45807580B2337802902EE575EF4507CF59C2B1BCB8BB78664F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001539923Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:47.919{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-54097-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001539922Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:50.769{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=763CC16C6071B4ECF2D21B4E8B095905,SHA256=152E86D87F7DF6C76093BBF8839EB8F7EC75E008729C9D93FF2D181DB9FD7420,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445103Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:51.238{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D907C12EF3B4F47ADEFE2813916B7CB,SHA256=05A3040450E37D31C2ED802A6008BEBF7BB7DC7932ED8DC9A971D3C3CAE11735,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001539926Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:48.997{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-58876-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001539925Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:51.847{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4E7A2DB3451CE94F97A6A1087B437310,SHA256=510865DEA2C3F80FFF7A4571495A5895F5BB218105735938E93EDD0083AC634B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539924Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:51.003{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B37AFDD087FD44F518EF8E52C49ED5CD,SHA256=3893D99F0F8D21BECA06F847BEE50E0A9ADC7062D1EEE14C0E5608A66A2822FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445104Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:52.270{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA4D0A265CBEA9907BC02F989038236D,SHA256=5E7740249662B2A4ADC0EFD88EB08D659C8F5CDDD385175AF3E0FB17DE80A531,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001539928Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:49.477{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65056-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001539927Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:52.065{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C754F8EA3D91EA9DA60BFB2E0FB0535,SHA256=439C9828C469F8190B4582CA72F09B1456AAF45714689E9612F634F318CF1EFA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001539931Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:50.077{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-4702-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001539930Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:53.222{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=275A4B5E657362F966C1C0259C9797A0,SHA256=8835F3799C8AE565CA2AA19E6C4FED1C3EFDAB50847F930BA99E5E6193695414,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539929Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:53.081{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0548038BF8ED2D399C4464E3C029F760,SHA256=CBB0A13C3C0C56EB27879F8ED6BB59222404806B3E4314BBA4022DB7F322AFFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445105Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:53.301{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=155BF8D22FCA7F762AC73620FB15A3EB,SHA256=1E66BFE81E1D955C1A7AED62493CD13868DF36F721649A27577AC271B17F665A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445107Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:52.929{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50713-false10.0.1.12-8000- 23542300x80000000000000001445106Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:54.316{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=852B84FAF24244CAF29C5492C4D8B13E,SHA256=0CCF35932720243A6C0479F148CF809B9785B96193058A18328835152A67E5C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001539935Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:52.543{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-14939-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001539934Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:51.353{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-9618-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001539933Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:54.347{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C46DEED0961BF9290033E147ABE29316,SHA256=FEA020313F938A3093C517545CB1E5529587188B80C1090AE1C1DB48FD278DED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539932Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:54.081{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C21EE6F3325572A36C25C91731631F7B,SHA256=0B7EE41CB1841455290D1B60398B00FF6A84D78C665BD490A8083C8A10C0FC26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445108Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:55.332{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=432216BC51E1E52C4BB47C6478ECD7DF,SHA256=DFB771942C2811653DFBD4D3233DD62CD03EACC86AEE17402078A61E2971966D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539937Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:55.425{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0549A39381D7CD94C9336D44407DB0F4,SHA256=B468A6E091D0FB2DF48B5603B7A8F1FBC549D2D3461C7559040C59D40009863E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539936Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:55.081{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D31DF68923E6B0B679A675FC227CD96B,SHA256=BD257C218E9CAF6339EF4DA598137AED01DE2775CBC3CF2015BE1E6987668693,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445109Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:56.363{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE20B7D78F935FBCBC6B4575B38664E8,SHA256=572C306775B678088F562C421AB50310B6B8F7F1AA70E3B14239C59B16661E96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539939Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:56.503{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F6911AB158667A0F9930DAFE98B839A1,SHA256=DFD4311171E18973ED25A574B54FF07BA785F7DFA6E4C26858C5B83D3DF2B305,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539938Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:56.081{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA6D45A7558CC7176A89E7134654860B,SHA256=7675C1A4F37BC3AD0E50D63E88A6F55D1934F068B368F107596BD68A29CE5123,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445110Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:57.379{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDF175E52AA9745A5C557B39663BED0D,SHA256=8C77AC2E91CC40AE77108DD686B95BA431DD7B8612D0AF485FB045CAE78205AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001539953Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:57.784{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2B49-6154-FA02-00000000FE01}2924C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539952Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:57.784{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539951Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:57.784{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539950Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:57.784{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539949Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:57.784{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539948Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:57.784{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-2B49-6154-FA02-00000000FE01}2924C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001539947Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:57.784{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2B49-6154-FA02-00000000FE01}2924C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001539946Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:57.785{5EBD8912-2B49-6154-FA02-00000000FE01}2924C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001539945Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:57.628{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=77AFBFEA6A0F4CE6078E7047FD7CFD68,SHA256=34C422976836ABBAB1840B2E5E3153B8D5EDE8AA0BE93F47E7E039EDE12818AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539944Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:57.144{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E294DF19DA1BB7EBD4EC72F98171D959,SHA256=99E277C647EF709F7D7AF5C5546C8F109D92486F203440375142DECD14709BE6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001539943Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:54.508{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65057-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001539942Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:54.051{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-9516-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001539941Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:53.970{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-9218-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001539940Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:53.654{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-19982-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001445111Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:58.441{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E52E898929FC20C2F7B38A2F3F32A87,SHA256=650A56DB5EF3453CFF29847DC8A974D5AFEEB01CDFB6DB6B8818CD3F601F6651,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539966Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:58.753{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A899414C48EC164F05AA1DAF7DD9E57D,SHA256=0A6F35A49EBDFC1CA42B0B9B4A832AFEC4D58FB6B0307BAF9BF3639AA5AAE4A4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001539965Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:58.597{5EBD8912-2B4A-6154-FB02-00000000FE01}5100380C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539964Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:58.394{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2B4A-6154-FB02-00000000FE01}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539963Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:58.394{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539962Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:58.394{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539961Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:58.394{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539960Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:58.394{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539959Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:58.394{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-2B4A-6154-FB02-00000000FE01}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001539958Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:58.394{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2B4A-6154-FB02-00000000FE01}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001539957Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:58.395{5EBD8912-2B4A-6154-FB02-00000000FE01}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001539956Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:58.175{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=476D2166D5E2077EFC26C6A4785DA266,SHA256=83AB3ECC8C5A48F9ACD01543D4009097CEF42928AA66D16118B6F02AF7A72E8A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001539955Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:55.474{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-16717-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001539954Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:54.734{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-24900-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001445112Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:59.457{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A7C389B6090E0E550A51931043A98F7,SHA256=83218AC6724C412CF7790CC23900352E21B55027B526B133946EF85CEFEF90DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539979Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:59.878{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1DE72742CFD9CE03CEA78AC352B95DF0,SHA256=679E981EC738FB7997A28B14C3A7848F7D720FA3241A6ACE6081345930BA1064,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539978Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:59.206{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F13D6BCA002CC01963E54B22D091B2C1,SHA256=447F7B41C06A2D99E942D2F32399E067A435A3ED9FC49238EEF3A86736FF2352,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001539977Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:56.949{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-34480-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001539976Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:56.937{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-23396-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001539975Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:55.825{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-29615-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001539974Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:59.019{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2B4B-6154-FC02-00000000FE01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539973Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:59.019{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539972Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:59.019{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539971Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:59.019{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539970Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:59.019{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539969Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:59.019{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-2B4B-6154-FC02-00000000FE01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001539968Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:59.019{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2B4B-6154-FC02-00000000FE01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001539967Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:59.020{5EBD8912-2B4B-6154-FC02-00000000FE01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001445113Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:00.488{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08BCDB2AC4C166E72EB8B8521A0E26D0,SHA256=C961856CC521708F027C5F5E8BB5D9927F65C16C95B0D0BB32B9F445B4409B98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539982Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:00.987{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=910F8C6D18755FAC8AC849CD694FD126,SHA256=F4C4098445811116EC48DA501BFAAC17DE7A48A75BB70BE4600A6F48CF6A0739,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001539981Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:00.222{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBF2A3A973EF02CD0BE063A28E69605B,SHA256=9B7D737B1074A2057E8A200164AB454A045A3BB0E1F086B5B793A1C968B90948,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001539980Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:58.077{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-39134-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001445115Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:01.504{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C68B060D4E2AA4BA1008F03D17C644CC,SHA256=79BD7969A2D328E5ADA5A938E2DC546D0C3746FBBC91AA7FAE13A026E5386CDC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001539994Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:01.628{5EBD8912-2B4D-6154-FD02-00000000FE01}60804280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539993Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:01.472{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2B4D-6154-FD02-00000000FE01}6080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539992Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:01.472{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539991Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:01.472{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539990Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:01.472{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539989Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:01.472{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001539988Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:01.472{5EBD8912-18A9-6154-0500-00000000FE01}4165172C:\Windows\system32\csrss.exe{5EBD8912-2B4D-6154-FD02-00000000FE01}6080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001539987Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:01.472{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2B4D-6154-FD02-00000000FE01}6080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001539986Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:01.472{5EBD8912-2B4D-6154-FD02-00000000FE01}6080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001539985Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:01.237{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1D4503AAED2A80D5C49A2046B02C929,SHA256=3B7477C6384992AA544708F57E634FE692AEFF19CAF68EE86FE648005A4B04AE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445114Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:00:58.757{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50714-false10.0.1.12-8000- 354300x80000000000000001539984Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:59.207{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-44132-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001539983Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:58.190{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-30851-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001445116Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:02.520{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F01B326378AC557256614CCD706C40C3,SHA256=C911DC4C5BF79D4AA40A63698EFA4AE1852316D681EF14881659DAD6BB1BD34E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001540008Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:02.565{5EBD8912-2B4E-6154-FE02-00000000FE01}5996892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540007Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:02.347{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2B4E-6154-FE02-00000000FE01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540006Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:02.347{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540005Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:02.347{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540004Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:02.347{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540003Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:02.347{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540002Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:02.347{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-2B4E-6154-FE02-00000000FE01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001540001Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:02.347{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2B4E-6154-FE02-00000000FE01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001540000Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:02.348{5EBD8912-2B4E-6154-FE02-00000000FE01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001539999Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:02.300{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A499A5828CAF6DCB335C841778C8E8E,SHA256=80688B75A1FC954821866574C8F083BE1483F46BF63E7981AD0F00CF04807F99,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001539998Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:59.546{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-36671-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001539997Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:59.290{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65058-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001539996Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:00:59.290{5EBD8912-18B9-6154-2700-00000000FE01}2944C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65058-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 23542300x80000000000000001539995Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:02.081{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=38A1015204F44AA460E7E990DF09BDF8,SHA256=6028F3E7D2847F6DAAF829DA4A80135BC5099C40B573088E90FF48B97CC171D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445117Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:03.567{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55D71FC7E8CA9B708A62648CE0B6D980,SHA256=32FB0C30AAFFFA49AC912A36353A1C1A67BBF996E660FCDAA0BD4446A87453D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540022Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:03.331{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B07C524E65C6430E0185F869FDD4E4DE,SHA256=9B9DCE514659982F96A32D22FFD0A8082F528BB00BA6F3E571F630A84C770410,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001540021Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:03.285{5EBD8912-2B4F-6154-FF02-00000000FE01}28005772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001540020Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:01.034{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-43747-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540019Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:00.344{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65059-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001540018Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:00.300{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-49032-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540017Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:03.159{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=785079744C8F1D2603D91D004BDAB003,SHA256=2F1C6550CC33DE6F654CDBA13B12538496FD401539005BAA765E97FB7B291C9E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001540016Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:03.019{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2B4F-6154-FF02-00000000FE01}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540015Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:03.019{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540014Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:03.019{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540013Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:03.019{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540012Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:03.019{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540011Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:03.019{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-2B4F-6154-FF02-00000000FE01}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001540010Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:03.019{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2B4F-6154-FF02-00000000FE01}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001540009Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:03.019{5EBD8912-2B4F-6154-FF02-00000000FE01}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001540034Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:04.659{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2B50-6154-0003-00000000FE01}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540033Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:04.659{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540032Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:04.659{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540031Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:04.659{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540030Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:04.659{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540029Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:04.659{5EBD8912-18A9-6154-0500-00000000FE01}4165172C:\Windows\system32\csrss.exe{5EBD8912-2B50-6154-0003-00000000FE01}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001540028Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:04.659{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2B50-6154-0003-00000000FE01}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001540027Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:04.660{5EBD8912-2B50-6154-0003-00000000FE01}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001540026Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:04.331{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4C509EB5A949CB83904D8D36D5E751E,SHA256=93B0C029EC8795F8BCB042533B9C23E08ACA5E11FA9D36D77EC13697B940A85F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445118Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:04.582{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11C58C9660923C3A2E819DE3193C607F,SHA256=4EE6AE20EA0ED2C422CBAB037FF845AF58C6EEE87C9B2F1A75E30EDDD9515163,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540025Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:04.284{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=63AC64E3E94FFFBC1E7BDE58AF7A8567,SHA256=6997E9009033716445FFCC6FFE0EF119897B7AED2EFD0E7BFBCBFF1A0DF84330,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540024Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:02.320{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-50435-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540023Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:01.390{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-53667-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001445119Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:05.598{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95395906CA2369785EC81166C96D47FB,SHA256=B1B22A1339BA5F075E20865DF9C77EE106553CD30706C3EE50611FC164224CBA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540037Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:02.484{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-58702-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540036Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:05.442{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFFC9855C9B2F016F07DFCC015A2DFD5,SHA256=729CD78BBB26E6BC7212E4D104354C488AAA83D9A15CCFF8F35AC1848D03A6DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540035Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:05.442{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D1929F3C96BC21652FF0C6944084EC62,SHA256=51EF252B2FD141C1DBEC55553D2D7D1D35EF9AF14C7B67CA50A22DAD48EAA567,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445121Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:06.600{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B60936FC747FD2E695D1B735DA9F6C6A,SHA256=551B4403F49AC0607338758797A035601108405E6D42BAD655F95ED158D4905E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540040Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:06.598{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5B93C839CE1966C1E507037C8B1CB071,SHA256=8ABE6A91D6E0562188CF832C5AE7D02B30B235D2BDE88630687E7C075757728E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540039Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:06.442{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DBEF285E2E99050D5F91968E6133FE7,SHA256=EA66275A317E23268D4B92168ED64CF96CB0F7BF7251796DD5C971491B75E8DA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445120Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:03.773{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50715-false10.0.1.12-8000- 354300x80000000000000001540038Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:03.679{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-4902-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540044Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:07.660{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=131CCB8AE13892548FD862AB59EA902B,SHA256=C4D89500855170EE82E0F2DCCE9FDF2645518E057D1E2D5C86934619ABAAD769,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540043Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:07.442{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CFDE45D58B55883B99DE79B400729E4,SHA256=7884724000E8CACE50E493AF7685B49AE2921F0A6EDA7E24E2F558C622233A50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445122Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:07.614{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22F33CDC8598378537541543345D4A6C,SHA256=2DE53AD53C515C3B49BAD549AA73F53B4AEFF6CA38DEAEDD7E9C6814D224C503,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540042Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:04.782{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-9418-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540041Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:03.883{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-59038-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540047Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:08.848{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=52951A3688BC2DCB7A9788CFC2105C3B,SHA256=83781DB30281AE70DEC2A05B55F67D7800FAAC7B79570BC9E6A4280658854D21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540046Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:08.442{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FBC5D33FD033B8F8C8A0FD50B023EE2,SHA256=58C178FC423880742982D6A580908925FCB5FE8C53151218D44C6712F49586C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445123Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:08.629{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4977EDB82859175BB5A67AB283193A20,SHA256=F1D3D7F9B8BF972C578DFF400F155E18B4C0076953BA2816C3E6E6DB65F0C2E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540045Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:05.197{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-6986-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001445124Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:09.660{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD7DA86627F423ED3E253342364568B8,SHA256=0907EC827B77624357CE38873E7B4F4DA87880BF147CC8FEBB2A0626611428ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540052Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:09.973{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B235661A5924EBF783E8BDA96CFB21C6,SHA256=5D1D35D63FD9E792C6A2AE6A4C7C909E928ABD1B6B6F56F351F8D426320FD9CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540051Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:09.488{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B091CB0C32B3B2C3C5A32DE1F516CD0,SHA256=4F20E1F2869471072E8E47D7FCF913FD1FEBC5B40AA7F467C7D55BDD2C56905A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540050Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:06.446{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-13889-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540049Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:06.338{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65060-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001540048Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:05.905{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-14435-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001445126Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:10.676{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CF795FAE6726E053201A57827B2F9F6,SHA256=92E726E9A61274C502A627FDC9BE52016D082CE44B9A0EC7C71DC6D83DA42D55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540055Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:10.535{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F45CEEBE255453535B212F73190E675,SHA256=CECF0E2A7A18DD34FCAF3253BC964C607ABA5B03FE5C80F9B0D06DAE3C861F41,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445125Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:08.929{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50716-false10.0.1.12-8000- 354300x80000000000000001540054Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:07.840{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-20886-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540053Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:07.059{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-19459-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001445127Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:11.676{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CA9610BCD5962E39A6B4722B7E5E92C,SHA256=C252228FE4873FB6F96D21B90724546C0BFF72CEC042C011092EAA50F71F44CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540060Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:11.535{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A2AAB0456615A6DFAC397D38DDD2E09,SHA256=22852B798B689119CADA403A53E112A1CDCF831F36E0F66EB603D1D84A961755,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540059Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:09.334{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-29009-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540058Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:09.266{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-29093-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540057Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:08.170{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-24214-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540056Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:11.129{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F31F1E6BB5E53B3D97D6F5C76BA647CA,SHA256=8FF2C722B309B45AD7CECB9E47865E98D9C322240BF08E5A35FA0FFD1A3602DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445128Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:12.692{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAB95F093144BF8AAC1DF461C5FD9633,SHA256=21BB15B0798721891762779E9F2B64752F1053D800940357325492375EFA6D78,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540063Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:10.436{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-34076-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540062Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:12.535{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43058C07FDBBE4BFB68FC2A708BE6B9B,SHA256=ED30C868F64FADB14BC94DAA67E438ED6A80F456F90F8DF444CE43BE8ECCE4F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540061Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:12.207{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B715A4424E07905A3ADECC1E72924010,SHA256=4F0260955C42BC85E24BB8E19FE37177665E228166487656F0BE9B86393613DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445129Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:13.723{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF1B7BD44C530FE09EE20F87E9291B4F,SHA256=4FAE9EB61F38D859D528C3EE3764DF7ECE4A1A0F5A1B4D2CFF5F5A815CF33FB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540066Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:13.535{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE31BFE72B821017F0702002862BCE35,SHA256=4E84764D7697C9262F07A8264EB3EA42820FA6F2678ABB7E48EC55041308AC91,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540065Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:10.634{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-36255-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540064Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:13.332{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3C2F222228E6FACADBBF0648F5CA3B2D,SHA256=DEA9070965BFBFA69474A8018D11CD56F1C6757BAB9A709817C667CC8EFCFD36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445131Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:14.848{69CF5F33-1899-6154-1300-00000000FE01}296NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=B311F29F05BCF2301C33BD2F0FCDF9B9,SHA256=4C2A70A75704BC7195DED9425722FB9AFC2821A3F75FFD913B8476669BD7661D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445130Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:14.738{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B676CA27353EBC80B66BC37F505D1C61,SHA256=445058079E064F74905C3465F24173E3F37CE031B638CB4D336657828251CF35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540072Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:14.535{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6F708D6BB3E4A4B4374060A1F7F5D78,SHA256=1B224952199DAC048B11E16462DCE219EB1B4708B321CCB3FBF92B6841E7116D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540071Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:12.642{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-43792-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540070Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:12.338{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65061-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001540069Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:12.014{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-43825-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540068Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:11.528{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-38867-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540067Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:14.426{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9DF73E507952656F0591349E7EAA4F94,SHA256=00A05ECB968BBDAE96E937F3EA1DF645E51BC0DE5A34C0BA665430D84CD1C9F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445133Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:15.785{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03780FDC79C176C598A9203A27E2E66E,SHA256=852F2E6324B3A573DE96DCB07D86079AFF145CECF6A31C0D895E9EA9D42D1344,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540075Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:15.535{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=50939C1BD73C1C63E256CD2E6E226658,SHA256=B3669E643CEB1BFB206CC05B1AE10BDB584ED0224487F3E7F7BAD4E595C71CF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540074Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:15.535{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=108C2E49CE2877F98A77C7F113F90591,SHA256=8FD228AE3D83AACF4524BBB8B3DBCC1944E575D58A5DC22B4931590F85A76735,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445132Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:15.478{69CF5F33-189A-6154-1B00-00000000FE01}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210929074117-077MD5=0702FCA431B00B594F1E453E1BACB4E7,SHA256=E8701800C5303E9A26BD1B4295F1925FD873002633D318A1D6DD61AA6CF56A5D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540073Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:13.257{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-50680-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001445137Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:16.820{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFD8B73F6D7B38E87FDEEFACA8E69D95,SHA256=CAB589480BD490169FF2D4B3B74B6049FB04438CC3BD2A19869CF2335FEC4CDA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540078Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:13.749{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-48597-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540077Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:16.660{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5C620FA00C50E55D094093A96A73543E,SHA256=1A3FACBFCCD1360504B521AAD74D321223093E44F7B806C67B286ABA3E7C88BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540076Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:16.535{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EBF78EE2FAD1683F4026FBE6E8E80B6,SHA256=0DA40A614035540B2238FC15098F6D2C4CFCA4A41230617E27FCE83850444447,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445136Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:14.806{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50717-false10.0.1.12-8000- 23542300x80000000000000001445135Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:16.490{69CF5F33-189A-6154-1B00-00000000FE01}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210929074115-078MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445134Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:16.067{69CF5F33-189A-6154-1C00-00000000FE01}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445139Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:17.900{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E8839332F635F85256A340E2A4CB387,SHA256=51A3F8FE67BF89620AC74C63FF60B2AB10366281C8DB0008EDBA185D22ABFD62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540082Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:17.754{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=560D8B43AC5D79D4BCFE98EEF22D38B6,SHA256=5C8370532B71510D2546B929E5BDFA3D849FBAC9302419447E672E01EAA26BFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540081Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:17.535{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F05730FA90B02466B3D6E4ACE816728,SHA256=910421F7243E8A3509C608C47A8F006F57FE3F268B784F6B76984E7B64E8C943,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540080Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:14.862{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-53626-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540079Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:14.821{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-58308-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001445138Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:15.742{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50718-false10.0.1.12-8089- 23542300x80000000000000001445140Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:18.933{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3837910D19186178F9025F4A0B9FC32,SHA256=DB692A52A3B19DD0E4DFB4BF070794B4125390AD540E77CBEB70548F8ACB7DC5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540084Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:15.970{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-58569-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540083Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:18.535{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A3763A3A3AB2B6E033363445D43C871,SHA256=015FB5536092BB09582165990CAB893FF523B66B69EEEB6476668D9A6866A98A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445141Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:19.980{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3A9B3C21951005F4FE45CA285E7914B,SHA256=3E23F18C6B73148AF442B0045F28E45D338F3068B51180E35D7365DEDA5C787D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540087Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:16.172{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-6392-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540086Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:19.535{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA19135B79507F0F9F62A15BA74A95FE,SHA256=D30D9BF8C832CF9BEF14654B1C6F136EE53D7A00A2531684EE0F9A21B418A317,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540085Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:19.098{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=120CED65876CD11AE5163F2844C3C299,SHA256=7D4680AFF7F5FAF1BC842847BCAD1C8157AF72CB7041BDD1055B6F536CEB563E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001540119Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:20.566{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540118Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:20.566{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540117Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:20.566{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540116Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:20.566{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540115Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:20.566{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540114Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:20.566{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540113Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:20.566{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540112Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:20.566{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540111Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:20.566{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540110Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:20.566{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540109Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:20.566{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540108Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:20.566{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540107Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:20.566{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540106Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:20.566{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540105Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:20.566{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540104Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:20.566{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540103Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:20.566{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540102Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:20.566{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540101Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:20.566{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540100Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:20.566{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540099Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:20.566{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540098Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:20.566{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540097Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:20.566{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540096Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:20.566{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540095Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:20.566{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001540094Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:18.774{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-20898-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540093Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:18.405{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-9919-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540092Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:18.354{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65062-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001540091Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:17.525{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-14085-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540090Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:17.329{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-5329-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540089Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:20.535{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCA0308306100FA42B4309F1224F01DA,SHA256=CA7F6F1F97B069C6804D3EA94725A2A06AE5C6A73582D62025F9B1D1E9138DED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540088Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:20.176{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=12897DCFCBA5E06000BE989AE5440DEC,SHA256=F22E448E8B71685CC7D3EC8024B7088A036A0329F1E40D1F584FFAE84F82288E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540121Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:21.707{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72BFC4920683938F618B07DD2AF842AA,SHA256=C6A599368A407A0F66533035678ACCB9E5F487C4A9FBE0B7E22A9FCBE169B533,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445142Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:21.027{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=812D2CF79C4FDFB3E6B3B22A51F538C5,SHA256=475CFD57F9215E439958A5DFA5B541171C20FC61BBA50DFDDFEAB1DE226F2F0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540120Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:21.254{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=10B3D29CFB670B7E50C555CE808A0851,SHA256=94149D3015303D298F5DB662288F5A7960D39D7F86EAA5615BE062D9DEFB90E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540124Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:22.707{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE2C7641B10807295C879574E230052C,SHA256=57B3C50CC05D1855A959A9D0A8BDFE829D01E2FFAD4913C3EC8DC8D51E0E6C55,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445144Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:20.842{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50719-false10.0.1.12-8000- 23542300x80000000000000001445143Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:22.042{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BEC3099BB8BC2F43547D9BB6EBF8112,SHA256=328F5CBA6B1B55FB9000F1AD7ACCF5019401E02275BE98A934E4538E867400DA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540123Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:19.487{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-14903-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540122Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:22.332{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=89F7971C870A079961D113927A5B09E2,SHA256=CBA2CABDF89D466F6EE953D20531EE694ED42796781B53F640795193616AE131,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540129Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:23.738{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1593208B2495F3CE6F5B03BEBDE6DBD5,SHA256=1B5F86CB5BCEC8178F552944D5F621D6EF4993493C994135AACF4BF6B5C815FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445145Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:23.058{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C124CF8C022DC219447CFF38F6C723B6,SHA256=DAC624D04DB6D793D4D1CE838627A048FB185A8195547269AFEC2B462028FEA9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540128Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:21.377{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-34629-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540127Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:20.561{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-19630-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540126Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:20.024{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-27929-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540125Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:23.566{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=873823BC54C8FFCC52E03DF04D9FAAAB,SHA256=DB3128E4B9BD6D5E2AEDF18F49826A9D247B66AFFC83B2E36C01C4237F5533A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540133Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:24.863{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5758B311F70CF588547608A0505CC3E3,SHA256=02ECF40C5C4FCBE0B78A57D86D8C4EACEE81D494F6E57FC288A7999BD850B400,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445146Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:24.073{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95481A214DC626CF8A954E7C7DD86BBC,SHA256=EE8BBC06EB7B548E4D5CA949E10A4137A34D1BC194A2819DE45593E37923C7AC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540132Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:22.640{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-41405-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540131Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:21.663{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-24427-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540130Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:24.598{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4DE8BE48726854436BF64C919615C448,SHA256=7D4A2EBBAAE1D12FE1F94FADDC8C1EB26923D25C2823AA226C4579A4F28D0302,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540136Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:25.903{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E6F791F06D0EC840B4ABA22F8C0347D,SHA256=5387B7460A811E6D0BA59177464E52DA9B5DD3EF8ABC0DA15BC50C8CC9636B43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445147Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:25.089{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1FD7D43D02C3655B55EA260C5E48FC9,SHA256=CAE2C4DEA9B37FDF63587D637F2CF6F399340222037BEE2C883DF37EAB1E5901,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540135Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:25.732{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ECEF37187591394FA0E2CDCB07CA3D33,SHA256=88B437C7868A282CAD2CFAD20DE9075467968903B4ADF44AC84CA1D3C9FD7D8E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540134Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:22.875{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-29540-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540141Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:26.966{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4E60337331041165138FBD5DA0586D4,SHA256=F23BAC93AA65ED5CC10DD8414E3F7060E8AAF02576FBDE69091BCCC418AD0FFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540140Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:26.810{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6D2E66AEBF4FC132816B892B837AD237,SHA256=ED586942C19363786323BE2492C81A51FB24625B48EF472B23344FE3FD9FB4B5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540139Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:23.960{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-48355-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540138Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:23.953{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-34282-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540137Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:23.416{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65063-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001445148Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:26.105{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=357C93A4152C20DB8C9EBD2FE4A0977D,SHA256=637DB880DC374F89C9052ADA1AEC3666BBAB9EF76D03DBE88716760F320531D9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540143Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:25.487{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-56380-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540142Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:25.039{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-38966-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001445162Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:27.495{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2B67-6154-C702-00000000FE01}2644C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445161Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:27.495{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445160Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:27.495{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445159Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:27.495{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445158Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:27.495{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445157Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:27.495{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445156Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:27.495{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445155Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:27.495{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445154Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:27.495{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445153Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:27.495{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445152Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:27.495{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-2B67-6154-C702-00000000FE01}2644C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001445151Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:27.495{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2B67-6154-C702-00000000FE01}2644C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001445150Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:27.496{69CF5F33-2B67-6154-C702-00000000FE01}2644C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001445149Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:27.120{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B9DA6B0D8DDB99EC9DBFDFC1EAD6FCD,SHA256=CD70B60847FEF556FCA85B1548E1EE394F34918F6D4599B9A96E14F399324C2A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445180Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:26.873{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50720-false10.0.1.12-8000- 10341000x80000000000000001445179Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:28.855{69CF5F33-2B68-6154-C802-00000000FE01}16682324C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445178Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:28.605{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2B68-6154-C802-00000000FE01}1668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445177Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:28.605{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445176Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:28.605{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445175Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:28.605{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445174Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:28.605{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445173Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:28.605{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445172Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:28.605{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445171Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:28.605{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445170Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:28.605{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445169Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:28.605{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445168Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:28.605{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-2B68-6154-C802-00000000FE01}1668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001445167Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:28.605{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2B68-6154-C802-00000000FE01}1668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001445166Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:28.605{69CF5F33-2B68-6154-C802-00000000FE01}1668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001445165Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:28.542{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1E4171C49816161307FFE76252081575,SHA256=30AFB907E28CD8B17242FFAEBEC64E99001F7AE6DF2A10C75564FC07DC38EEE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445164Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:28.542{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8E67CE1C24F91E52C4076F0F377357EB,SHA256=01FF5E8208D44A108DEDCB8B1E779F5EE111F0619B33309ECA9ADBECFCDBE819,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445163Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:28.136{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3928CF301DD7410B222F9DFC416601C6,SHA256=95B18293D21AE70D6FF18B120D8F6E7E3E35CAB24CF03390E2909B8AEBB81125,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540145Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:28.028{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2D5219D1B5DC9517C574DCD00D4C67CF,SHA256=CEF8EFD192956C1FF79B4463F14E0FCFF11FDB0C99F1C22168E03CA9B6C4E2AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540144Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:28.013{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65F8827FEE353022FD59FEDE939BBDDC,SHA256=70AB0C766970CC794D5925BD382CD89E1A499046EFDECF654F467D7B656CAC7F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540149Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:26.738{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-4420-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540148Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:26.134{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-43779-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540147Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:29.106{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4017AEBD84872F8D8E1E3D80C37ED620,SHA256=A694CEE0A76522F90F8A78130A4B6F9C5D87B47B09DD4807C2FE1EE700707E1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540146Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:29.013{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3499459323A2BA870ED62307D4DB22EF,SHA256=2CC01D736FEC5E8A62013C4B21D86EC4174E9D562D54440CF8FA3BC428B5D500,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001445195Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:29.652{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2B69-6154-C902-00000000FE01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445194Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:29.652{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445193Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:29.652{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445192Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:29.652{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445191Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:29.652{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445190Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:29.652{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445189Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:29.652{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445188Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:29.652{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445187Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:29.652{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445186Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:29.652{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445185Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:29.652{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-2B69-6154-C902-00000000FE01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001445184Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:29.652{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2B69-6154-C902-00000000FE01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001445183Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:29.652{69CF5F33-2B69-6154-C902-00000000FE01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001445182Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:29.620{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1E4171C49816161307FFE76252081575,SHA256=30AFB907E28CD8B17242FFAEBEC64E99001F7AE6DF2A10C75564FC07DC38EEE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445181Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:29.152{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7F8F7E681076445A0843B78D065CDBA,SHA256=45FF7C6BF732805521F04095BFE0709A0A43103F57A01C379C738C73A7EB6C1A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001540157Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:30.950{5EBD8912-18A9-6154-0B00-00000000FE01}6402808C:\Windows\system32\lsass.exe{5EBD8912-1892-6154-0100-00000000FE01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000001540156Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:28.519{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65064-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001540155Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:28.414{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-53722-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540154Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:28.002{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-10954-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540153Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:27.835{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse210.245.92.42-53187-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540152Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:27.336{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-48954-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540151Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:30.200{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=660880D10469D9AFB2001A7A93228816,SHA256=67C3EB0BB935AE6B3E721FDF075161EB39F7AEE124BE831A43F080D84A848A17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445197Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:30.652{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B45ABBAE8AFFAA612925B9817FA0D186,SHA256=E1BB931F8DCF4CBA7E98479F575C624193FEF459EB4171EA864D35A3698C5EB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445196Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:30.167{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F684981171DB4CE279165B6962495EA,SHA256=6E436D972E36EE33F3E0E004D3950877FDA81AC18524D30C77523E40B2298F52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540150Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:30.185{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A3F5C5563CDCDEDF205DB848042A66DE,SHA256=A9309950B833478E41B5F6782A5647F112EADE382FCCA9975B6E9B1809A13B5D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540160Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:29.493{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-58468-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540159Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:31.263{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E87BCF361DD19DB4136F9492596669CE,SHA256=250D10F50F7DDF58F3A9A17D041EE21E20416C49BC7085C9A5D49427AF2C818A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540158Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:31.200{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=479388EAF261343E963C8D0959AFA6A1,SHA256=3159042693DD296E5B6B68CAB9A6060ED523B006C7850CCCB5A35A4704650046,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445198Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:31.183{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65699184BE334E22543FD004B48D4E40,SHA256=1C6A52EFA24CD5A5BC10BAD00B76F27EB2D24CB521EF5EB556CB8D0002F7DA17,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540166Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:30.575{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-4102-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540165Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:30.239{5EBD8912-1892-6154-0100-00000000FE01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65065-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001540164Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:30.239{5EBD8912-1892-6154-0100-00000000FE01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65065-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001540163Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:29.605{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-18759-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540162Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:32.356{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0D1C168C746590EA241E769FD513AC24,SHA256=C81B55EE4B907F49D5D984D134A6377F6B1E345430387529FCF22911E0F120D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540161Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:32.200{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0A3562D3F9A53353B7ADD4237ADE967,SHA256=F0737AF5125AD1305995D76FA16783154E93A69C8AFFB87FF21AB8C51B0C1B55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445199Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:32.199{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F2520203DD058BC3665B448AAFE2EF8,SHA256=D6DA7CA858C346BE09E14D18E9D16AF5A195DE09E29AC1B3F810C62BF1C1B6EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445200Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:33.214{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36DE5E3496FC404FE814ED59A1BDB869,SHA256=D2776F5B0651975DF490861B56CDEB36CD5D99EAB960FE940AA8C5BC7679AA62,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540172Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:30.880{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-25371-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540171Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:33.794{5EBD8912-18AC-6154-1100-00000000FE01}444NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=ACB42264EC4612B2FA02F7A8B417A489,SHA256=28F15A036CDEB414CBC980C4CC2432ECAF1C15B6B466F6B481E63670972F32B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540170Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:33.450{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A1836ACD065EA58C01A55D9D63BA7B6,SHA256=0D751B6CD108D6F679321BD104A9DAC90BE4CD70F132206462FECD8A3840AEC6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001540169Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:33.216{5EBD8912-18AC-6154-1600-00000000FE01}12721020C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2F00-00000000FE01}2408C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540168Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:33.216{5EBD8912-18AC-6154-1600-00000000FE01}12721020C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2F00-00000000FE01}2408C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001540167Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:33.200{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76263A8E665C02EE180AAD737C9899F3,SHA256=A3F09609C136C448D31187197B2AAA3DA229F77768330993D56ADC8024B19E6A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540186Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:32.158{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-32786-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540185Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:31.676{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-8770-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 13241300x80000000000000001540184Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 09:01:34.778{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001540183Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 09:01:34.778{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0049b264) 13241300x80000000000000001540182Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 09:01:34.778{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b508-0x3881fc81) 13241300x80000000000000001540181Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 09:01:34.778{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b510-0x9a466481) 13241300x80000000000000001540180Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 09:01:34.778{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b518-0xfc0acc81) 13241300x80000000000000001540179Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 09:01:34.778{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001540178Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 09:01:34.778{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0049b264) 13241300x80000000000000001540177Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 09:01:34.778{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b508-0x3881fc81) 13241300x80000000000000001540176Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 09:01:34.778{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b510-0x9a466481) 13241300x80000000000000001540175Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 09:01:34.778{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b518-0xfc0acc81) 23542300x80000000000000001540174Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:34.560{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B8F51F6CCC3F089B71DC0218ECF8FEDC,SHA256=243C0017FA4C4D25C489991F0AC41458D9C5818FBBEEBAB35EB5038D30B54B4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540173Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:34.200{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96C0A1F764D70184EBB3F648126D0A7D,SHA256=068366500C81F57C87DE6EE31A03115FF771450E074EFD53E155724A62933BD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445202Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:34.230{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA38658C7EA6C1D7089FFC0A66EBAFE9,SHA256=887BEDFA9703E91EA7B996959FF0A63D332BB2E2329C5440192896141386DCA2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445201Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:31.889{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50721-false10.0.1.12-8000- 354300x80000000000000001540189Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:32.780{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-13589-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540188Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:35.685{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A115A88767EEBB3CF7DE5CF474D2AB6C,SHA256=7DA4F88C1B3FB9BCD7027A38448CE3B6EB7C330EEC47862726B04F8C156E0D39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540187Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:35.435{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88F875FEFA41C202A2EA00E46954C699,SHA256=69495839CF492D32EC48F38FD8590EBA9087317E4E85180A31BCF3F9CD6FF41B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445203Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:35.245{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD3DF08B634A89EC4942DDA3FCD24981,SHA256=4F0B41375103419EDD013151A99574C85729462F1547466ECDB626FD25338B23,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540195Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:34.725{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-46287-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540194Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:34.363{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65066-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001540193Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:33.881{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-18199-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540192Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:33.455{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-39585-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540191Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:36.763{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B0A6F6EEF2F70ADBA11B01C35744D07,SHA256=5B9307351A0BB8E00E5FEA6690107C8517BEFFA83AB2146AD8B0729B6B5D5A0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540190Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:36.435{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=849B7CF61C4ECD1D578DBAEF8985BD32,SHA256=B770FBA4751CE2AFD59AADE5E5009274295BB69BD83D5DE38EA6FACAD32B9871,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445204Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:36.261{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D07F9CBEAE9D89BCD89196C95AF1F4B,SHA256=D484C5D6963354F949EA43073653964A44E5C88150E43E23D6FE94A2373A3B17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445205Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:37.277{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99692A62CF71425C85C0BDF7902B4CE2,SHA256=66C3CA626385B868F979025700AFD1B01FF990C3B189E062E8792B714008BC6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540198Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:37.919{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C2EFB4F8D0301CF1FA5203A10AFFEEDF,SHA256=F6D557A16A76EFE7BD49E4FF446F7341B142D496E7F648BA50BEE4D757E4503C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540197Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:34.993{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-23267-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540196Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:37.481{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14260002173F2F78E30F3893F3D54069,SHA256=55CDBAB2240BC3D37FD8F93CD274868578975D081B36DEA42D4AEEBD7F3B46BC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540201Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:36.189{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-27997-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540200Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:35.988{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-53169-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540199Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:38.481{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1E269E4EB61535E722DB4894DA4F91C,SHA256=0DCD20BF7535AD77440B27490476FFE6094DC00639F0ADE9F5B7478F787DA997,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445206Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:38.292{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42750085BE6304B5DE5CEA4FB4EB5E36,SHA256=A782826A69DFF05C3A7E6D4E875BDB3C3A616EAD67F4F71519DB907BE648B0DF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540205Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:37.289{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-32706-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540204Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:37.283{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-1228-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540203Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:39.481{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07FCC88AFDA6FDD5B1944BAF914BE25E,SHA256=8AA65979FD76A7000D531EC4D5163FDE3348F484769BCC7C6E74C92A2EF4126C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445208Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:37.763{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50722-false10.0.1.12-8000- 23542300x80000000000000001445207Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:39.308{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0096F07B9635C48D323DCF1512D5BF5A,SHA256=890F4ECCC04B2687E8069AC9FE3DCEDA4C4D57F24A99A8C7A3ED9DE95B29286E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540202Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:39.091{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6625CBCF02840D5A900143BC267FAE73,SHA256=4CDB7111C95DB1E46F2D067FE5EE3EA3F8C3BBA9D1033383C404330F0E0425A3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540209Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:38.658{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-8431-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540208Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:38.414{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-37575-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540207Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:40.481{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB692D6CBDECCF6C91AAFD3F5E846AD8,SHA256=EC90FE6000FBEF651825326EDB69CB865D74FF02049AEF12E49AB41991DB4CB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445209Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:40.324{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63D06DB811C3952DA3903927CAF3408E,SHA256=8521E0FEADC5E2C3FCA9EEA50249221C7315B6EB5BC9402C95B72D5AC4CC3313,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540206Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:40.216{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=05123BC8D6678B330DA2F0B26E56BB3F,SHA256=BCA0C9AF3B9D80C5F389D7CF6468FCDF520B101EFF986869996F29A934F36478,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540214Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:39.910{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-15341-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540213Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:39.538{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-42603-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540212Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:39.535{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65067-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001540211Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:41.481{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E08914E62FD7E0BFDB56D754229CE972,SHA256=7205B59458C3E0B60EE5B39A0768C32B166BCE4D6A73F0AAF4CABCD7E6F696C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445210Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:41.324{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4450AA18017C1242005296D261911BAA,SHA256=4EBD6D76780CF09C59B56AD78D639692EF7152788BE41225A927C064C7E9EE74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540210Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:41.341{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3A01BBF6003782D87667EC82BBFB8324,SHA256=AF441519C9946BBA51BFD44EC05BF13DAEC3EB3BBC57B6B24A918B659BCCC7A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540217Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:40.653{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-47311-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540216Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:42.653{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=13EAD0C233ED755BACDA34D608BECF03,SHA256=1B76AEC06B74D8E699D44DB3F680E0F799E47DFCC2186A34113B594AF6B8BA3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540215Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:42.481{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C7F28F1D7D8675CCE9A7679888351B1,SHA256=076E7A3213BCAFF26FA4E525A4DCFAD831CE6AADC054F4BAFF35E517B30AB1C5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001445225Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:42.980{69CF5F33-2B76-6154-CA02-00000000FE01}40603360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445224Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:42.699{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2B76-6154-CA02-00000000FE01}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445223Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:42.699{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445222Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:42.699{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445221Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:42.699{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445220Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:42.699{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445219Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:42.699{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445218Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:42.699{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445217Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:42.699{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445216Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:42.699{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445215Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:42.699{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445214Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:42.699{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-2B76-6154-CA02-00000000FE01}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001445213Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:42.699{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2B76-6154-CA02-00000000FE01}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001445212Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:42.700{69CF5F33-2B76-6154-CA02-00000000FE01}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001445211Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:42.324{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BECCDDA060FF9EDEDD1D629EBA1A91BD,SHA256=BDEAB0EAC9BE36478E495DCC49D29BF356081E49A50C610A73F139DE7B4FCA40,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540221Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:42.021{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-52797-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540220Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:41.195{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-22248-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540219Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:43.825{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DE24E877D06BCEEF31BADD432E6D0184,SHA256=EB1008555CBDC1A338BD768D61762C845DC92B7A498470AC892F6932C434957B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540218Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:43.481{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=735D000AF15C6C36DCEFDD84C1F3CB5D,SHA256=884D966D6FCEB5480F50BE424633939E5B9FD11820CD2EBE4EB475082491E410,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001445256Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:43.933{69CF5F33-2B77-6154-CC02-00000000FE01}27681996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445255Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:43.761{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2B77-6154-CC02-00000000FE01}2768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445254Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:43.761{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445253Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:43.761{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445252Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:43.761{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445251Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:43.761{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445250Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:43.761{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445249Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:43.761{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445248Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:43.761{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445247Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:43.761{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445246Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:43.761{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445245Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:43.761{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-2B77-6154-CC02-00000000FE01}2768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001445244Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:43.761{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2B77-6154-CC02-00000000FE01}2768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001445243Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:43.762{69CF5F33-2B77-6154-CC02-00000000FE01}2768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001445242Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:43.730{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=364A480CEAA405AA1AB1CB1344708623,SHA256=F9096093EECC4C57820EF343FA20EA4A4A0F6230DBDCAAC9587A592E08ABC67A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445241Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:43.730{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=459276718A0A5919540D25133EE66BEA,SHA256=FB8A60E9A6FF99AA3DAF47A8EE02EFB944F46D053BEDF1029ED5E3AF21435F83,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001445240Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:43.543{69CF5F33-2B77-6154-CB02-00000000FE01}37683352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001445239Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:43.402{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B63D619B8AB67212581724101F8B2AB4,SHA256=1B1834A43CA956D922D58CCD0A605A291A76B0E246A222BA2C67F53F804E360D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001445238Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:43.199{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2B77-6154-CB02-00000000FE01}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445237Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:43.199{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445236Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:43.199{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445235Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:43.199{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445234Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:43.199{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445233Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:43.199{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445232Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:43.199{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445231Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:43.199{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445230Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:43.199{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445229Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:43.199{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445228Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:43.199{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-2B77-6154-CB02-00000000FE01}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001445227Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:43.199{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2B77-6154-CB02-00000000FE01}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001445226Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:43.200{69CF5F33-2B77-6154-CB02-00000000FE01}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001540224Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:42.471{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-29320-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540223Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:44.950{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5866197A725DE735EDE9AEBE5E15EF74,SHA256=DF22F2B31F2F87C23F137C97702D9BA525C71EEFF0D1DC7351CFB9A4BDC4E41D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540222Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:44.606{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48F5CBAA33194B59F3C153106326D5E0,SHA256=1A01E8616D0C8C299A04EE92F5A701873E69D189E3434E9D6AF4ACB73E81095D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445272Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:44.996{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=364A480CEAA405AA1AB1CB1344708623,SHA256=F9096093EECC4C57820EF343FA20EA4A4A0F6230DBDCAAC9587A592E08ABC67A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445271Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:44.902{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89FA06837146DFBEB9BB9219B7192877,SHA256=7DD47290995377EC9A8AB93494C5B530C6C2B880F23BEF07404161E7130A15CB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445270Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:42.763{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50723-false10.0.1.12-8000- 10341000x80000000000000001445269Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:44.433{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2B78-6154-CD02-00000000FE01}4056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445268Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:44.433{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445267Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:44.433{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445266Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:44.433{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445265Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:44.433{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445264Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:44.433{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445263Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:44.433{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445262Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:44.433{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445261Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:44.433{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445260Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:44.433{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445259Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:44.433{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-2B78-6154-CD02-00000000FE01}4056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001445258Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:44.433{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2B78-6154-CD02-00000000FE01}4056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001445257Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:44.434{69CF5F33-2B78-6154-CD02-00000000FE01}4056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001445273Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:45.636{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45DE6AF3B0DBE13BD0F90B064C035DF2,SHA256=A703E560870E8A30493893082219C31FD334A4B916639C415652375BEE1E66E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540228Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:43.767{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-36343-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540227Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:43.148{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-57953-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540226Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:45.971{5EBD8912-18B9-6154-2900-00000000FE01}2960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540225Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:45.609{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE61ADF8D020449DAB101DC51C0B6AEC,SHA256=7DB83FA4DA01D5DFE57C9E38C4132B55D1E227792835F64F11DB19A8C108CAC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540231Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:46.611{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=043DF0E8F03FB12C92EFB2848748820F,SHA256=FA3F0410AB9B157914564DE5C09E5BE99B714609B83903F2A5D25F3CB9C290DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445274Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:46.652{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC547EA1F84B22A7CAAF65B4A97CE8D3,SHA256=8B2F554E1C46E685E136B294C22F74BE11167AA0ED1C69419E9C163A83945ABD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540230Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:46.426{5EBD8912-18B9-6154-2800-00000000FE01}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210929074147-077MD5=A9A42281E5AC80C7384A9CB787C868D0,SHA256=3FA67950307563E8508E097058F58FAD833FFA00CAA097776E12802F7A654FF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540229Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:46.065{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C039DDA15048C003A50ADFC622309560,SHA256=03EEE5C939D6CBAFCE23E465009078ABC4F1F5A919A31756212A7530EA56BC07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445275Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:47.668{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DAD3DE573143E5704C2C7437FD143D1,SHA256=06996E179C786F045D7297F4A10F0D9AFBB5FF5CF91BF3FE3435CEFC4F22633F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540235Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:47.656{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5534192103CABD31CFAEBCEC090EAA93,SHA256=A453822FC508D6AFD6CC35A14BCF50BAB1CDB69736C56AC4195C70AAF6F70874,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540234Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:47.440{5EBD8912-18B9-6154-2800-00000000FE01}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210929074145-078MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540233Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:47.142{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=529955B9466C99B745CAF13D80E9C5CE,SHA256=788F7D3207CA061050ACADAD145DE85FD3D90FB542BE018821F2F6BACFD7E06C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540232Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:44.285{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-3831-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001445276Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:48.699{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F006F50D21EC0999A7B3E64EDB83FF2A,SHA256=BD397A23ACF393D8319D4D3F04EBDD8D8FD7DBD5DDFFA85ADF0757F149F1878B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540240Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:48.664{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73D8815E37D3C9D38CD3DDD74324EEB2,SHA256=88B0AAD118590387182081958214865A8933317A3AD876FA6D2480126780A7FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540239Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:48.241{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=79C99D14DE2C4937D5E74635E5DCA4BB,SHA256=BBDAA7A9E843F177B38739D722E18C076BEDC1BCB965788146671E10C3E433DA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540238Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:45.373{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-8322-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540237Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:45.259{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65068-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x80000000000000001540236Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:45.086{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-43303-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540244Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:49.664{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C701A397C9B0C83014FD23AA1BEF5354,SHA256=AECA38031486F2A65281B3329030B301CF705D5B0191E7F4B9206439C9127CDE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445278Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:47.877{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50724-false10.0.1.12-8000- 23542300x80000000000000001445277Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:49.730{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6981D3314D9063D83237D5D370844DC,SHA256=85576CB2C447E2F4F5300A3408617564121A308E89039B0CA82AED30F00D539E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540243Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:49.461{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=11969F52ED33019289A7C9A7C9500EB1,SHA256=6B9813F028CCF1D37B778BE8FC849C500E0E23EEC882ED661BF8D465FB35D8BC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540242Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:46.383{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-49656-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540241Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:45.462{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65069-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001540249Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:50.664{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D3B34CA0872947CEE3779CF71ABAC59,SHA256=F29D22F4E8ACC36F02CD59A1A655B7C159C0AFBF9EF1F53C96B05F13478BE715,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445279Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:50.761{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BE15F2C835DB1A25E67405DEC5695D6,SHA256=4F8D179FA3EDBA01843ABFFF8D1DCDB00D323B9633BE131745EE0F7F873954BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540248Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:50.585{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=91ACD55DB65298064399299563FF974E,SHA256=36DBF5CBD7F6FAAE4CD6650CEDB14EC28BAC55FADCB5BB0F0CE484631B7F6207,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540247Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:47.638{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-56767-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540246Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:47.636{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-17764-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540245Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:46.453{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-13194-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001445280Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:51.777{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65AD1C6C7D263EA5F0A5FF6E9F71C4DB,SHA256=99234158EC80AA05704312A52AAC5EF84A8C1921F32A29C0C0AE3B00FEB10F3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540252Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:51.664{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AE5DF85E06B303FA8330E2A226B577D,SHA256=E291A03E8A488D637D529D47E93BA08D5513BA09786E893AF35DB0D267F6CF74,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540251Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:48.904{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-4740-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540250Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:48.783{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-22722-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001445281Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:52.855{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0773882614153E19736B2E7D879B344C,SHA256=EA522FA25C2A969E346EF315DA508E6B722F07AC45DCF2C86780F36E9CEBF167,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540255Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:52.664{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A392792763AB66516FBE222D38DA9E30,SHA256=3CAB364CFBF0054C38F719DF6946560EB517598E5F30EFDD8719F0CC300C92E8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540254Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:50.153{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-11703-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540253Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:52.039{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9D931D90E689B16572B44B5DAB3B4B51,SHA256=7BB5819BC73471372E545EF1B5F11B4225D71EFD34FBD688D8FFCBE5E272598F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445282Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:53.886{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5287B55BE450983B6E75B0F2C3F3D40,SHA256=2053FD931DBAD38F46B03E016DD2BC7AB579308B1A7DBAF9051DE50AA15794BF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540265Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:52.047{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-21749-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540264Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:51.968{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-21328-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540263Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:51.888{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-20989-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540262Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:51.808{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-20641-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540261Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:51.730{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-20194-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540260Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:51.652{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-19717-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540259Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:51.573{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-18984-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540258Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:51.477{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-18325-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540257Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:53.664{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3037C26D458825693689C4F8B517EAD5,SHA256=A6E450DBEF0EBC24E5F5E34E3BC0A0AFA4987B96ACABEE2A45F014B9CD22328B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540256Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:50.499{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65070-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001540279Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:53.004{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-26267-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540278Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:52.998{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-39959-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540277Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:52.974{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-39790-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540276Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:52.937{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-39702-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540275Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:52.915{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-27730-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540274Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:52.913{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-25633-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540273Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:52.782{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-25295-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540272Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:52.688{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-24737-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540271Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:52.571{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-23834-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540270Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:52.361{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-23119-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540269Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:52.283{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-22720-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540268Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:52.205{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-22414-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540267Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:52.126{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-22092-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540266Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:54.664{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6444EA559C2C1A8B917A0BEFD735DC0A,SHA256=A1471C59DFAE66B0112A48E67B00C573931F9571473159160722229C9AD00F30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445283Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:54.918{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BF970283AC74E53AAE32C4AC9B2EE75,SHA256=85A23B019021A402547BE00C787097EC054E7B4CC118ABA42B210211BC0699B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445284Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:55.980{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7924B059B283B58015AC966EC735AC38,SHA256=EF058306478F72A95F79BA621F2F779DF7DCC5D5DC26647B677DD0B164744CBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540280Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:55.664{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03DEE79E141AF40F2040243467750EE4,SHA256=DD5A2AA7CC89C4DE82FFA1F40F0A16FC0A0D9FD319A4534257D055EA691CF186,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540296Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:54.145{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-32392-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540295Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:54.067{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-31943-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540294Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:53.987{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-31569-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540293Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:53.907{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-31340-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540292Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:56.664{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E7384F2D193A468AC1F0C2BC5B1FDB9,SHA256=CE4CB2D18FDF79B97B5320FD53339D9D5320E0A630C6984EBD06EE531742637C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445285Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:53.763{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50725-false10.0.1.12-8000- 354300x80000000000000001540291Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:53.827{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-30981-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540290Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:53.746{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-30491-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540289Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:53.667{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-30155-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540288Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:53.589{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-29862-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540287Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:53.509{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-29528-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540286Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:53.429{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-29121-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540285Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:53.350{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-28682-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540284Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:53.268{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-28132-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540283Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:53.190{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-27500-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540282Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:53.111{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-26756-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540281Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:53.020{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-40078-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001540305Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:57.789{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2B85-6154-0103-00000000FE01}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540304Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:57.789{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540303Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:57.789{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540302Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:57.789{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540301Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:57.789{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540300Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:57.789{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-2B85-6154-0103-00000000FE01}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001540299Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:57.789{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2B85-6154-0103-00000000FE01}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001540298Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:57.789{5EBD8912-2B85-6154-0103-00000000FE01}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001540297Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:57.742{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C1F5F89A5AFEDF3C7401DFDDFD90EAD,SHA256=6F35B713D65BB08CA81196D2290677E15BD7B5AC3F5460608B88D1A0322D6E2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445286Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:57.011{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1991D77ABC466168335E9DF820CA52AC,SHA256=94589A4B522501E6C7025BEE07B0008B6EEADE90D9852E180507388B9BECC724,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001540325Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:58.960{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2B86-6154-0303-00000000FE01}4600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540324Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:58.960{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540323Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:58.960{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540322Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:58.960{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540321Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:58.960{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540320Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:58.960{5EBD8912-18A9-6154-0500-00000000FE01}4165172C:\Windows\system32\csrss.exe{5EBD8912-2B86-6154-0303-00000000FE01}4600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001540319Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:58.960{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2B86-6154-0303-00000000FE01}4600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001540318Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:58.961{5EBD8912-2B86-6154-0303-00000000FE01}4600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001540317Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:58.835{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=878D4A7F0D0C0BA823AD8201E2B7463E,SHA256=85A78D5CD25C50FEB1C98D059D8073BE633B579AC5DCEFA8E155EE0DEEFB1B2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540316Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:58.835{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8662104EF614D0B98C0D597338A6FAC9,SHA256=A449E755986AB9948CDDCF482C0119C52ADDF31EA160C0D2E5E2DA2F845F10A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540315Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:58.789{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC6761E22AAA3EE42D3AFB7A0F689733,SHA256=796DF057A62E4EB5246268CC76A4ACCD30F4D8839DB5948F791D90849663FDB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445287Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:58.027{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C44AF17039608E246D963F15A69D9CBD,SHA256=91ECFE088561E97B40A0DAA8E0FA4C597EB70DD2F1E7DA4A0DE0C9C5B9B32F6E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001540314Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:58.679{5EBD8912-2B86-6154-0203-00000000FE01}26845652C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540313Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:58.460{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2B86-6154-0203-00000000FE01}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540312Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:58.460{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540311Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:58.460{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540310Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:58.460{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540309Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:58.460{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540308Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:58.460{5EBD8912-18A9-6154-0500-00000000FE01}4165172C:\Windows\system32\csrss.exe{5EBD8912-2B86-6154-0203-00000000FE01}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001540307Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:58.460{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2B86-6154-0203-00000000FE01}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001540306Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:58.461{5EBD8912-2B86-6154-0203-00000000FE01}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001540327Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:59.851{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=606D8B47F05A8834D3256497D6F1C8EF,SHA256=FA1B2F314B21A15462E1609A90B6CDADEAC5F36326FFA1049726924F840890F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445288Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:59.090{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D2A2AD571B953FA31BA0842CF65D531,SHA256=CE1711B074EDAB82BB73B9D543E3DB6EAA4CE4627516AA15DF704B31A70DABE5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540326Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:56.358{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65071-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001540329Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:00.851{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CC8C1713896AB20D79845D96CBAE446,SHA256=067D0A453E38E22BCEDEE72E9918FAA88C29D978AE2A2E10B51475C50B8CD03B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540328Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:00.007{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=878D4A7F0D0C0BA823AD8201E2B7463E,SHA256=85A78D5CD25C50FEB1C98D059D8073BE633B579AC5DCEFA8E155EE0DEEFB1B2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445289Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:00.105{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5776B0BB409802839BC68B00765F7428,SHA256=8EF1C59D0E0E4A25C62B9EA83BC28F0D717989876DF74BB040325EF341D0C711,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540340Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:01.882{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1540992C278597871EAECC9CE765A8B0,SHA256=34AEC658A00ECD79CEEA09DE658B839168398A311A9DB814861C3E5F14100E0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445291Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:01.137{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86F38D50B2E66330C5FC6D701096BFF0,SHA256=3A4694DEA3A57841E68902A8F063B33D796564523648F2ACC8A5E081AA58BBFB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001540339Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:01.648{5EBD8912-2B89-6154-0403-00000000FE01}25001956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540338Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:01.492{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2B89-6154-0403-00000000FE01}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540337Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:01.492{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540336Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:01.492{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540335Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:01.492{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540334Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:01.492{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540333Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:01.492{5EBD8912-18A9-6154-0500-00000000FE01}4165172C:\Windows\system32\csrss.exe{5EBD8912-2B89-6154-0403-00000000FE01}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001540332Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:01.492{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2B89-6154-0403-00000000FE01}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001540331Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:01.492{5EBD8912-2B89-6154-0403-00000000FE01}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001540330Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:01.007{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=278BD250B631082A408E4FEC7B21837F,SHA256=17994D17F221F11BF2BD6C79FF8F462BE3C8FF5273F04665D57212A16ECC021B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445290Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:01:58.763{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50726-false10.0.1.12-8000- 23542300x80000000000000001540353Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:02.882{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29AAF31AA6BF03FBF2D535382A5F9E4B,SHA256=72E31FF695BE33977C5AAC68C28A91F574816856C3A9EFCD1A56922083DC51CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445292Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:02.199{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99A87572A24BD92295544687632451FB,SHA256=1FF7D22FFADC5819BEE415BAF91FC1D5CDD909441D0F80D4E894DEC8FCF9C0CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001540352Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:02.570{5EBD8912-2B8A-6154-0503-00000000FE01}46763440C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001540351Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:02.538{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=70EBDD1F11D050865FB75F43FBF3EA21,SHA256=F938E506DEA062A8BDD5CD50E334C51C6EF3B2AA95BB822165245EECFADA0DC8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001540350Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:02.367{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2B8A-6154-0503-00000000FE01}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540349Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:02.367{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540348Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:02.367{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540347Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:02.367{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540346Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:02.367{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540345Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:02.367{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-2B8A-6154-0503-00000000FE01}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001540344Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:02.367{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2B8A-6154-0503-00000000FE01}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001540343Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:02.367{5EBD8912-2B8A-6154-0503-00000000FE01}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001540342Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:59.296{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65072-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001540341Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:01:59.296{5EBD8912-18B9-6154-2700-00000000FE01}2944C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65072-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 23542300x80000000000000001540363Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:03.913{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36D7C8F805B08DDA3192D9EA9CA7ADEB,SHA256=12AA3A87B6A980C9AE4757BABD6EB352C8D45D9BE39DA3F8E5245D7D2AE500C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445293Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:03.262{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94368884B0C4E77E10408A4B0172DCA9,SHA256=CEBFF9944F3166703093B0F3D8560D0CB42CCB5ED0B56E5EFBE463F291CC79D1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001540362Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:03.288{5EBD8912-2B8B-6154-0603-00000000FE01}52243140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540361Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:03.038{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2B8B-6154-0603-00000000FE01}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540360Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:03.038{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540359Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:03.038{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540358Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:03.038{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540357Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:03.038{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540356Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:03.038{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-2B8B-6154-0603-00000000FE01}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001540355Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:03.038{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2B8B-6154-0603-00000000FE01}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001540354Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:03.039{5EBD8912-2B8B-6154-0603-00000000FE01}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001540373Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:04.913{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32D66E27553C34163D71BAD23D6935FE,SHA256=70FF4095F5918C0B92DF24A4D6515FB2DF36152C9E2454C22C9FCAE27522FAE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445294Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:04.277{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6228726D1D4E8C6B82865D816C3F85E,SHA256=E4AB1F11A6C221057E0F04A6EB47DC1EA5246DB878A5AFD2D3411C162AA0072C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001540372Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:04.663{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2B8C-6154-0703-00000000FE01}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540371Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:04.663{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540370Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:04.663{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540369Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:04.663{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540368Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:04.663{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540367Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:04.663{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-2B8C-6154-0703-00000000FE01}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001540366Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:04.663{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2B8C-6154-0703-00000000FE01}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001540365Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:04.664{5EBD8912-2B8C-6154-0703-00000000FE01}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001540364Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:04.038{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=365F4100BFDAF22D1F34C4166EB666E1,SHA256=7BD7406F874087815FC933A52CD8F28E2CF2DE346A0A796FA749C7490E88808E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445295Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:05.277{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0399B92092A1C784CB95F8094D6F163,SHA256=222009578E1911D3CD2C83360B569F4C67C76ADEA80B6107FD0AB6694B74A0F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540375Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:05.704{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=86568A4500AE403E425A051305DB74ED,SHA256=CA4AF3D3BDEBAF648525F43A2942A36B3732E25554DDE55009834D263A9F8ACE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540374Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:02.390{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65073-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001445297Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:06.308{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D24645DE614F3BBA8657720CE6001CDC,SHA256=BF78EEAF165F2EC937391EC5984BB160D9B40948F0ECA814606AE909B822CD1B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445296Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:03.795{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50727-false10.0.1.12-8000- 23542300x80000000000000001540376Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:06.033{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8B2E577BC0931EC82A00DD82F98387F,SHA256=630D992B5D6E83C73A233ACF876588F8F2F3A670114D8311258AD80C0A292F79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445298Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:07.324{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A7BB0EFCE2E35B82A6A853F70EF33F2,SHA256=944B01763D406CCC86A6CED302D05D620B0B5140750052D5C29CDC2B47B0B61F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540377Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:07.033{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=005BD9B49BD2FA4065CBF2F2CBE6757C,SHA256=BF1B77EDEDFFFDFBAADFB0DFEAA635CE331D7F67D3C5D246CB6D20159A9873BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445299Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:08.355{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4620E96A4D65DEF8C40BA013D9EDA73,SHA256=376DE78E28B60619BB4D2D388848BF0C8DFED995C4DF55808781912BD737609E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540378Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:08.032{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E9315E7FA92034B9E411252C471A5FE,SHA256=85C447124226F4E479BB50EA3C17420798D815DE564DA153F01262D730B9B860,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445300Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:09.371{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24B865363777812103BCAC70BC1A2FF4,SHA256=06FE672A080998B8A0479CF0185BD8709E8930E0EFFC76F48229001C7782D592,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540379Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:09.032{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7310473791A5FDCE5B8076D77FC25DDB,SHA256=728900B9BC4AAB9E02F63087E47E3A734C4CD1F64F345C84B2D63EE97F6F977C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445302Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:08.826{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50728-false10.0.1.12-8000- 23542300x80000000000000001445301Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:10.418{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04C609B53001C0030C981348C1565891,SHA256=28EBA1575ADBFEB8EC3077E5479B446903317DEF6993718996C13D60D25B0891,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001540383Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 09:02:10.173{5EBD8912-18B9-6154-2F00-00000000FE01}2408C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\8EFF07E0-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_8EFF07E0-0000-0000-0000-100000000000.XML 13241300x80000000000000001540382Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 09:02:10.157{5EBD8912-18B9-6154-2F00-00000000FE01}2408C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\C073BBA9-345E-4F58-AADF-98D983B75502\Config SourceDWORD (0x00000001) 13241300x80000000000000001540381Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 09:02:10.157{5EBD8912-18B9-6154-2F00-00000000FE01}2408C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\C073BBA9-345E-4F58-AADF-98D983B75502\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_C073BBA9-345E-4F58-AADF-98D983B75502.XML 23542300x80000000000000001540380Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:10.032{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64263AF6EBD5135006D07D373DA2E91C,SHA256=6DA0AF3D1D1C1B07DB5AE76023C726FD03554455CD68201358EF72DD808E33D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445303Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:11.434{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EFCE08F513A7E840FC5D5855A78E863,SHA256=0408EEB815C9040730ACC1C71E6A66F2B0339DD5625A5742639037B7C69B3224,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540391Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:09.463{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65076-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001540390Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:09.463{5EBD8912-18B9-6154-2F00-00000000FE01}2408C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65076-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001540389Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:09.447{5EBD8912-18AB-6154-0D00-00000000FE01}908C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65075-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 354300x80000000000000001540388Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:09.447{5EBD8912-18B9-6154-2F00-00000000FE01}2408C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65075-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 354300x80000000000000001540387Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:08.352{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65074-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001540386Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:11.189{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7CA682C2CF20025AC8AA89B0B7E0FF90,SHA256=7DB32ECAD0E6E1AC67754B9429DFB5FDA7AD145C18DBAD393D2F6CA9F98DEDA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540385Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:11.189{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A249925A6A89D322CC09F2CF1321CAB,SHA256=819B8A97079DDB31A1F7C1187EF0F01CE31E56201E5F55329584DF3D978DD9AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540384Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:11.032{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=260B79910E5CC07521B2CC143C0C9A9D,SHA256=CB67A25DA9985A434C047346127DF61FD922B5E9CAF1D324B702DC385291D9E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445304Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:12.449{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55469A7A0FB79939A28D9C41C037F924,SHA256=3EC92414ABFBFF3BA49D28683D0AC1D043875ACC7D38B4F703BD4CB3D0F53921,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540394Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:09.471{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65077-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001540393Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:09.471{5EBD8912-18B9-6154-2F00-00000000FE01}2408C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65077-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 23542300x80000000000000001540392Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:12.032{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=183A001BCE69B2149C14B0F7355E8A6A,SHA256=5FB0AF2331A5236C31CC8C1A9A15641BE923D40158CDE31A292B7ED8E78B8223,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445305Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:13.465{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF58CAE149E7794BC4555CCB15196356,SHA256=1943BBF80D7B71EE657CD42636233570878F09561CC7E62482034E79E5B4A426,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540395Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:13.032{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3799F7E9660377A0C8FAAB8FFCBC5E82,SHA256=2B759B77AE598668F1F3E10E21A52BAD7D4CCEED7DB0CA76E32D42C5E2B93921,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445307Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:14.856{69CF5F33-1899-6154-1300-00000000FE01}296NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=D99414828323FB989D286FB1D3185C98,SHA256=CD2FAB5B70E33496F22F6AF217BE0F4A83414C6FC5E5F92FF6BAC9ED2204791B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445306Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:14.496{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B391E4FB300B18476A5B888D2237676B,SHA256=19E9DE603538A6DAD426E2A9963726969457CF9215A9F8A01121B13C296444D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540396Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:14.032{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0DFF392254A08A673BAF3DA013E76CA,SHA256=7BBFE1FEDE5028CAE267E6CBEA37FD8912FD5BA2C5B4CB7B12A99C44CE51E1C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445308Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:15.527{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD8502D50E720AA31F51701841471DEB,SHA256=6B2152DC87101E2CEE94281C04446C8F55679ED93C2F64661526596F0186CD4F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540398Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:13.431{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65078-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001540397Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:15.032{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B1768B925F9AB00666930D446FC1AF7,SHA256=9EB059D29BE827CD49406CFAF065C646872D83980D92B9AEFC33AF32D6D6264D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445312Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:16.998{69CF5F33-189A-6154-1B00-00000000FE01}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210929074117-078MD5=0702FCA431B00B594F1E453E1BACB4E7,SHA256=E8701800C5303E9A26BD1B4295F1925FD873002633D318A1D6DD61AA6CF56A5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445311Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:16.543{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB9379D5D392D8E941311115F2D77F89,SHA256=9C11B6FC384070A92EE70BDE8E4E2CFC61986E0097221A6DC831977992451B79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540399Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:16.048{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE10FC9040FA360515E513FA60B213FE,SHA256=98632A5673639A51D04E2666E69912C8FDC5F597D1008092DDC74FFD16659353,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445310Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:14.858{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50729-false10.0.1.12-8000- 23542300x80000000000000001445309Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:16.090{69CF5F33-189A-6154-1C00-00000000FE01}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445313Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:17.557{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D5213D7F76D5A58487C91538525D8A1,SHA256=6D006E74EB25EB2A9FA2076B968BBA7DEC9258939BB8A42B6A2A20EC029FF18D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540400Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:17.048{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD865B05F8EE3CFC2DC54E64231A6A71,SHA256=80258FA6E6E94E84789F6D3690C7AD363DC97EB297A3CF25594827E84C2365E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445316Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:18.573{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAF74B5CB16EAD51FAB30D947FBFC8CF,SHA256=BE5C39E2130E68602B0DC6607669F8D42AD774AAA54198CE107F86FC7537869D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540401Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:18.079{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FEDCDD0579E8724B83C586D1279970A,SHA256=8427FD14A457BD4210BEA001D7B7477627598EAC35055C390B1C6A8C062B1EF4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445315Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:15.763{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50730-false10.0.1.12-8089- 23542300x80000000000000001445314Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:18.012{69CF5F33-189A-6154-1B00-00000000FE01}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210929074115-079MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445317Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:19.589{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCAABAD2299E0A2A0793A015A69B6071,SHA256=6F56EF95770388CE1D63012458FE363025EBF4C22B44C477150559BEF8DB97E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540402Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:19.079{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23BF5E9BB24B3619FEA2F9E8E73DA542,SHA256=5C56D409140E94C5531B983E01AE72C4F3BA4360A6BDC293222ED7D2F69280F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445318Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:20.620{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B79928ECABA6FC58700C2551BAFB654,SHA256=97B9AF2C448E4D0B4E9749FCC5AE189C5FBBA027553B7BCA1A7647910D42CAEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540403Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:20.079{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2938E60F4FCC3A027297DA77872F4023,SHA256=AC017FB67405EDF4BF3BC25F6E3E5C236E4012BF738B600C939FE16F0D6BE8CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445319Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:21.651{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC6A022BC7D35E097EE792ADB1A91DF4,SHA256=E57E5A2B5D9EB2BAD98AF4BE53D72B1ED4BFB296C74001FA5290B0BBD5496E9C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540405Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:18.477{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65079-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001540404Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:21.079{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D718F6ECB9E1DF188B4929BBE1615DE4,SHA256=44D4A62079FC5C7542E80CE60AB8A0C3D732C27010229AF1088CA7B3C06F35A3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445321Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:20.825{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50731-false10.0.1.12-8000- 23542300x80000000000000001445320Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:22.667{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BB21AF9675969DC7658F09B8DD396F5,SHA256=0FCB4782BE593B14AB7CE770E46240FC79C174D75D8B5B932F04527F6CC36A66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540406Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:22.079{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=766FF76092E4A0E3BDB112F415A8DF74,SHA256=1FB7B40D1AA0E11777111D9F38C505E63A9D39DEA04061146E817722D5DC0656,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445322Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:23.698{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A5FFBBDB1C8253CAB459C6E840FBD77,SHA256=8C003FA6ADEB92A8AF0ED39B1F5541EE69FB6FDC5FFAE2DB436C6CE92C508EF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540407Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:23.079{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E1496CB536EF3D4E88A08EB7E2CBADC,SHA256=88555AFC7EE3AB69C69E650F380311317BDB29720CF5073187DA47290ECD2B1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445323Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:24.698{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D324C54B67DC3C9B1093FC7A0FD5FDB1,SHA256=AC871DFD463025C5C1ABF384C52D5454919CE99CB698775842B0028E7E15198F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540408Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:24.095{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E2E180CB295F8BB9CBD8F728ABD236F,SHA256=B0150DB45A123A18481ECFC92D5ABA47B6BDF7880F8018530C1148E982780C90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445325Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:25.714{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=400FC614578858C4D4DC37C9813B6357,SHA256=4CB3539EDE49C043C5105C974239E6BBB921B39E66F6A3A1FCA47850CC8FEB36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540409Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:25.095{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E5BC7656D8571398DDA0F1D042EBE8B,SHA256=ECE23C96D53A82E0BE2872C71497234CAE626EC09DAC83C2C2D9D0637F35EE43,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001445324Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 09:02:25.620{69CF5F33-1899-6154-1400-00000000FE01}368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b510-0xb8db591b) 23542300x80000000000000001445326Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:26.807{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A857ADB8B884F02D5B9EED13D82B8768,SHA256=B99362541214B9F896A931E31AA03561ACAE524CAE823EE44A1F1E110D572AF2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540411Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:24.369{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65080-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001540410Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:26.125{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FF94434C5906F27006B80F62B37CEFE,SHA256=B379E5C7C2CB40E2B905F48191C723FB4817CE6570139FC131846B10990F6E50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445340Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:27.854{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=833D21D2111D5C4C66380D2671155CD8,SHA256=6416DD03F91D23F0C5658C5B58F273B0907FE2DF8B657A211AFA53989A398643,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540412Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:27.125{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64D2BD937A0E502031182D25BA8537FC,SHA256=A46EFCCB67378D209F9244D87E90A493C92B427C52FF2BA7F1A52E1B9E1BC4AB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001445339Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:27.526{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2BA3-6154-CE02-00000000FE01}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445338Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:27.526{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445337Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:27.526{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445336Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:27.526{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445335Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:27.526{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445334Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:27.526{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445333Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:27.526{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445332Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:27.526{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445331Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:27.526{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445330Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:27.526{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445329Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:27.526{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-2BA3-6154-CE02-00000000FE01}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001445328Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:27.526{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2BA3-6154-CE02-00000000FE01}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001445327Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:27.527{69CF5F33-2BA3-6154-CE02-00000000FE01}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x80000000000000001445368Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 09:02:28.995{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x80000000000000001445367Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 09:02:28.995{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x004a7806) 13241300x80000000000000001445366Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 09:02:28.995{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b508-0x58a55680) 13241300x80000000000000001445365Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 09:02:28.995{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b510-0xba69be80) 13241300x80000000000000001445364Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 09:02:28.995{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b519-0x1c2e2680) 13241300x80000000000000001445363Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 09:02:28.995{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x80000000000000001445362Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 09:02:28.995{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x004a7806) 13241300x80000000000000001445361Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 09:02:28.995{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b508-0x58a55680) 13241300x80000000000000001445360Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 09:02:28.995{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b510-0xba69be80) 13241300x80000000000000001445359Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 09:02:28.995{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b519-0x1c2e2680) 354300x80000000000000001445358Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:26.809{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50732-false10.0.1.12-8000- 23542300x80000000000000001445357Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:28.870{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC1813F0066E0B701D47AE3095FEAF17,SHA256=9EC68EB3D10DCAE664C8E044D13A9407BC6FAE4C23F5155549C6246FC2758E40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540413Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:28.157{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05D7FEC6C850BF8501EF876E2AC3141E,SHA256=5E7119E5E6331833B7A756B398C8C00F70F911A3557CDAC06F038FC2BFA6CF1A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001445356Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:28.824{69CF5F33-2BA4-6154-CF02-00000000FE01}33843812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445355Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:28.620{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2BA4-6154-CF02-00000000FE01}3384C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445354Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:28.620{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445353Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:28.620{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445352Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:28.620{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445351Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:28.620{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445350Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:28.620{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445349Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:28.620{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445348Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:28.620{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445347Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:28.620{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445346Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:28.620{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445345Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:28.620{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-2BA4-6154-CF02-00000000FE01}3384C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001445344Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:28.620{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2BA4-6154-CF02-00000000FE01}3384C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001445343Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:28.621{69CF5F33-2BA4-6154-CF02-00000000FE01}3384C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001445342Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:28.542{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=08E4988A7A8B17B247453512103D4A2C,SHA256=AA9F014CBA42BBD22AAB237D2A6BC5914A2AE47DFD6F590510FC49BFA56DF1D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445341Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:28.542{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1085008C953FAB4DFEEE6EA47AA0FFC8,SHA256=907E601F49C6755238334C29B436E27F49E4EB130CC0F03461C0E1F66B89A0CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445383Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:29.964{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A1CA87741F81CDE85005761800BA3DB,SHA256=16F6352554ECFE81320AB320BB8641415F409511B27B96F19751525AE24BF558,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540414Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:29.157{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EF5A02D93D340395A36363D96C9BD9F,SHA256=5335503A80FCCB4A6DCA3D715BD98FD72916DE4D612A845EA91C4DFC6329AE48,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001445382Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:29.682{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2BA5-6154-D002-00000000FE01}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445381Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:29.682{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445380Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:29.682{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445379Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:29.682{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445378Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:29.682{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445377Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:29.682{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445376Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:29.682{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445375Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:29.682{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445374Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:29.682{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445373Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:29.682{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445372Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:29.682{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-2BA5-6154-D002-00000000FE01}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001445371Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:29.682{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2BA5-6154-D002-00000000FE01}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001445370Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:29.683{69CF5F33-2BA5-6154-D002-00000000FE01}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001445369Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:29.651{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=08E4988A7A8B17B247453512103D4A2C,SHA256=AA9F014CBA42BBD22AAB237D2A6BC5914A2AE47DFD6F590510FC49BFA56DF1D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445385Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:30.979{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1E721F5C5A96005BAC52DAEDE0921C0,SHA256=082D8B1BC5097A2FBAA70CDA2050BEA5D0BA0E25BE695EFDFD78BC603B7972CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540415Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:30.157{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0913E8B7757F3B28306E95EDEF3EF077,SHA256=0EF416C48229AE39C395A44A19C59104E3544A5F245DA5BD8498DFA70221FBB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445384Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:30.714{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D9A32CFA6354845F19F4163D2048C0B,SHA256=88499D4F8E0FA9ACE9CCEE1755DE4FAC83B4FCFA37D7310BC86B4243763A679C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445386Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:31.995{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAB61BBAB536143A464FE5FA657579A6,SHA256=E8B9A669AAFD7128797C1B706A0FBD2591B7E8ECAAFD15B5AAC1187264713936,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540417Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:29.524{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65081-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001540416Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:31.157{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48F025CBDC3A0FB2052AEEC11B4A3320,SHA256=00B3DA345C8FBF5E7625929B6AF301B877AD65025FE0C01FB6999208485A5288,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540418Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:32.157{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39F1253CEC4F19FA1B82AB0E8C93BC7D,SHA256=5C00F85B84DC247B17AFC932475FDE5B96A6CE6758F301929DE504AE07731D44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540420Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:33.797{5EBD8912-18AC-6154-1100-00000000FE01}444NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=353BCC4702D79BF3517C9359B3596CE3,SHA256=B1C3E99DA832A93926DC4651F7425926FE54B63FB35AC3B773F6E90A9D4968FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540419Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:33.157{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69A67A57B9A8F3B4444160A5F33A8038,SHA256=8E83D3174BEDB730F2A7C4D7109D2449D94793E255068CEF67E33A2E051A4B25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445387Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:33.011{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=409EDF4D1499D457FFEEF287352FCF4F,SHA256=FB5C229F709510B4595FC8E8D790C731BCB6FA75C0C3260DFFFA262697013CF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540421Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:34.172{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98270F3D6B6DB604CDC9235E7259EAC2,SHA256=EA83A580F32B8CE87018126F1375FFD5DA5B35F1A20FE89B4D0B3D32753208C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445388Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:34.026{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=493603006749DAF741C93793D754D2A4,SHA256=5D710533BDCF8267D6C85F65C70FE97445844FFF61CF262ED62C27DFD233F5B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540422Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:35.250{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C531EE7E3F42EEE1A141A0A3D1E36B33,SHA256=85ECF5E4F170A307A9DBF9EB2AA0D310E8E8731FE3217B184ABC73FC68691679,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445390Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:32.809{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50733-false10.0.1.12-8000- 23542300x80000000000000001445389Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:35.042{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3B6CBE52661855EFA3E314DD856FD97,SHA256=3FB2B0672C4EF15F76A2893A0C77F203AC34D05F580781DC5835F6CD0FEFBAF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540423Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:36.281{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E414C9386E57F3BE1B42F95D3A60A076,SHA256=9E33196BD1D62F654CE74275BAA94C0713BBDCDE788CACD4A9B428AA31E5561D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445391Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:36.058{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DC985DD80B8A59B1A281CF9401A764F,SHA256=E4BBAFD9EFDFBD1F44B39ED95A991F9500D3D5341FC7DA6ED28BB57E4273A24B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540425Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:35.289{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65082-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001540424Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:37.516{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCA54CFC42FD052116054FA58B8AA318,SHA256=F8C36F7B0A88E3CFF62A3A62C2EE3090543E9D8E43C67D24299331048D049D97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445392Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:37.073{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4563644C431F08859FC761BA0C10FEB9,SHA256=38D94A45E746FF3DA6EAC7C059A00D9B5D6A326FB592863854DA9CC6CCF73A03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540426Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:38.563{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3248E5E0F316969E5AA97095EA13580,SHA256=1FE77EA88A25E5921D39C86B1E8456FADA4D048532EAD49527A0757F4B90157F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445393Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:38.089{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9AC8FD719CF700E17E6785F0DAB75D0,SHA256=378C9ADCCEC0673474DA1BE53F02C2186F2E15D406C22642F0E02832D5EF142A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001540428Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:39.766{5EBD8912-18A9-6154-0B00-00000000FE01}6406124C:\Windows\system32\lsass.exe{5EBD8912-1892-6154-0100-00000000FE01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000001540427Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:39.578{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DA4FAF344940AD877DEA2AF8DF4F721,SHA256=0B17CC2C4D082280CA488D22C620823258389E7020A9631A8AA637EF8E518ECC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445394Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:39.105{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C513B026B5385A9A401CD2CC8660A07,SHA256=204779A3B5D19CA1C9998CFDB7CC574868C022CEDFB06F27C5E0848C8DE81D50,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540435Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:38.960{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-429.attackrange.local65084-false10.0.1.14win-dc-429.attackrange.local389ldap 354300x80000000000000001540434Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:38.960{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65084-false10.0.1.14win-dc-429.attackrange.local389ldap 354300x80000000000000001540433Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:38.949{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65083-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001540432Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:38.949{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65083-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 23542300x80000000000000001540431Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:40.656{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B4FDA8D18A7270E144A4D90D0498683C,SHA256=F4FEC5F89D39D4633BE7D1743D74C4941051D9633A9C177E017C6B7AE46B8B8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540430Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:40.656{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7CA682C2CF20025AC8AA89B0B7E0FF90,SHA256=7DB32ECAD0E6E1AC67754B9429DFB5FDA7AD145C18DBAD393D2F6CA9F98DEDA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540429Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:40.594{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F6C90A6B48950D76B18DA00445F5866,SHA256=AA78B9A8C4D95B577D108C3DC4181B6BD26A02506A3394A99274B94449D89C6F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445396Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:38.793{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50734-false10.0.1.12-8000- 23542300x80000000000000001445395Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:40.120{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD05508667BD835FF5259E26029E373C,SHA256=81030016E15E14669E0C3190ACA7B69B18FE8F0B7F271ABA27143C038965A519,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540438Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:39.059{5EBD8912-1892-6154-0100-00000000FE01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65085-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001540437Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:39.059{5EBD8912-1892-6154-0100-00000000FE01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65085-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 23542300x80000000000000001540436Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:41.610{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B47B6B02022E4258C02D321A613092B0,SHA256=D6E41CAC3C47007A0E841BD1FEF9763CEF2C6F60B9DF5E8494527A1C157A6C2F,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001445398Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 09:02:41.620{69CF5F33-1899-6154-1400-00000000FE01}368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b510-0xc264cb0f) 23542300x80000000000000001445397Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:41.136{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9068D6E8AABCF4075AB2506933803D0C,SHA256=E4D8348BDA1FFB45FD3BC9FF2F806A19431FE1D78DC551E15B7CB5A9E3B3AF08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540439Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:42.610{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12FDA28D88313DDA4E7A7C9B351DF714,SHA256=9ACDE8EC817C23A3D02283CB918FD59EECB39C7F92D7079ED2E4EA52ED170B42,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001445413Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:42.964{69CF5F33-2BB2-6154-D102-00000000FE01}2656904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445412Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:42.714{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2BB2-6154-D102-00000000FE01}2656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445411Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:42.714{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445410Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:42.714{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445409Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:42.714{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445408Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:42.714{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445407Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:42.714{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445406Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:42.714{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445405Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:42.714{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445404Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:42.714{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445403Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:42.714{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445402Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:42.714{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-2BB2-6154-D102-00000000FE01}2656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001445401Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:42.714{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2BB2-6154-D102-00000000FE01}2656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001445400Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:42.715{69CF5F33-2BB2-6154-D102-00000000FE01}2656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001445399Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:42.152{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5CDBE1771808E5207A1FAC0A5861853,SHA256=8EC920D3C9687534F54BD3B3739E1D02CACBEB9E9772A0136B52D0E3ED70A6B7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540441Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:40.336{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65086-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001540440Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:43.610{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A44568860C4A58C0B6D045BAE2251FC6,SHA256=6F0FA2DBCC1F6DEF7C1A5AA4A6A4D7AF7B1383ACB9028A90DB131E2DE1DA93D9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001445443Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:43.902{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2BB3-6154-D302-00000000FE01}3700C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445442Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:43.902{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445441Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:43.902{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445440Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:43.902{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445439Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:43.902{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445438Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:43.902{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445437Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:43.902{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445436Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:43.902{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445435Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:43.902{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445434Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:43.902{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445433Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:43.902{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-2BB3-6154-D302-00000000FE01}3700C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001445432Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:43.902{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2BB3-6154-D302-00000000FE01}3700C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001445431Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:43.902{69CF5F33-2BB3-6154-D302-00000000FE01}3700C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001445430Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:43.761{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=44AE008C565252FE18A79D3C53E8E214,SHA256=B806AAA5AB162D4D190A422D7FD512E73A523B1A7FE045728E4BC17F79EFEB40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445429Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:43.761{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A741E69B2436D66A48D268A344CCF166,SHA256=A018B64C0BAE2DFDC2258170C99D6E9840B96291E943708B72797970CB94C86C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001445428Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:43.433{69CF5F33-2BB3-6154-D202-00000000FE01}37363164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445427Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:43.230{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2BB3-6154-D202-00000000FE01}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445426Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:43.230{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445425Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:43.230{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445424Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:43.230{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445423Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:43.230{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445422Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:43.230{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445421Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:43.230{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445420Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:43.230{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445419Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:43.230{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445418Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:43.230{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445417Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:43.230{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-2BB3-6154-D202-00000000FE01}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001445416Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:43.230{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2BB3-6154-D202-00000000FE01}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001445415Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:43.231{69CF5F33-2BB3-6154-D202-00000000FE01}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001445414Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:43.167{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79078869D764A3AEF9B2388B8BA0BFA2,SHA256=7B1F19E9D5C019311B1052AB4772F8257A030D16F0FF1FD5ADDC26D3AAA07448,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540442Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:44.610{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EA1CD1D3A6DA9B0C6E8E3FA782CA153,SHA256=465455E9F2DC11C63106F1EBF08B8BE3133BAFC759C89FAF6105CF3CC053C552,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445459Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:44.933{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=44AE008C565252FE18A79D3C53E8E214,SHA256=B806AAA5AB162D4D190A422D7FD512E73A523B1A7FE045728E4BC17F79EFEB40,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001445458Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:44.573{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2BB4-6154-D402-00000000FE01}4064C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445457Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:44.573{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445456Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:44.573{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445455Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:44.573{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445454Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:44.573{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445453Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:44.573{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445452Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:44.573{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445451Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:44.573{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445450Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:44.573{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445449Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:44.573{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-2BB4-6154-D402-00000000FE01}4064C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001445448Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:44.573{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445447Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:44.573{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2BB4-6154-D402-00000000FE01}4064C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001445446Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:44.574{69CF5F33-2BB4-6154-D402-00000000FE01}4064C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001445445Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:44.386{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16DA35BFE36381AEE0F3E5C383CE1E39,SHA256=E3158F794A93080927928891BD9C412DED88585831DA9A4BC60935CE4ED2EEF0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001445444Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:44.167{69CF5F33-2BB3-6154-D302-00000000FE01}37003608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001540443Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:45.624{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A248D259FFD8A6CE7703F23FD142D3F,SHA256=F63EDB4AD11ADE3B2AF7DCFE442C163CFB59E0F4443DEE896BEB9E3A29F3FB10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445460Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:45.183{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55DD6B3790F87F7D02F79402C57F046E,SHA256=3B27D69CAB525B6D35FDB43B183282BB1BF8159965BB32766063DC896F9D2219,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540445Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:46.624{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=844AA2070915077EFE13B18A8757EDF2,SHA256=F4B9CCEA001A87BF1938C57742F31366A8BEECBFF65EF0EDA868F04D9FB36A39,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445462Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:44.793{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50735-false10.0.1.12-8000- 23542300x80000000000000001445461Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:46.198{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B024B7ACD153DF426C432246D56F8C59,SHA256=CB4BBD6CB9279FEDA33D236350209A430582D396ADCE5F9C7B3CEFF9AE77FB27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540444Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:45.999{5EBD8912-18B9-6154-2900-00000000FE01}2960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540449Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:47.970{5EBD8912-18B9-6154-2800-00000000FE01}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210929074147-078MD5=A9A42281E5AC80C7384A9CB787C868D0,SHA256=3FA67950307563E8508E097058F58FAD833FFA00CAA097776E12802F7A654FF7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540448Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:45.398{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65088-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001540447Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:45.274{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65087-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001540446Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:47.624{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14522268A99293D506D83A1E43438C21,SHA256=4212EE5A175ED9B7E93B6849C22F040049CAAAD077C6C7C1C0A876122C39B789,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445463Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:47.214{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FFFD60E9456C186535BC067CF5BB000,SHA256=D60CE9960B65E988296D6F82772DAF866160B5C261530F7DB3B7B68142FFC94F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540451Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:48.985{5EBD8912-18B9-6154-2800-00000000FE01}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210929074145-079MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540450Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:48.640{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7F9D3410A17E1B25302E9A7BC12D6C9,SHA256=8BCB8066438DCCEF15F37C457DABC0580DCB65A889113D7FFE3BFA846D6984BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445464Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:48.214{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=974525B59E43C2A78E54D2F6CE966837,SHA256=09C4EFDA61487F4C463A03B4A2E00459DCBFE38BBA50A547D31A2A5FAF901C6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540453Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:49.645{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F56EB79DF0995C101B4FF99B5170B842,SHA256=90DA532A5979033B0B539E0B455960794B779CBEFA315E1A80D268BFEDE0EDAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445465Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:49.230{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67AD602396881BC7BC128E3FE6B59CA8,SHA256=8E5CCBF9C7D5F8DAE8AF79F95A91BD40E8E0DE4EC42D3A08133F4E45E0C7B4D4,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001540452Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 09:02:49.033{5EBD8912-18AC-6154-1200-00000000FE01}452C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b510-0xc6cfd431) 23542300x80000000000000001540454Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:50.645{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F922E0DB76EEDF9E1E327EDDAABECD7F,SHA256=87B9076FFF48D7FBD874917AF344764840B9BC648BBB5975DDDC58F3D73B8DBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445466Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:50.245{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B96DEC1D9DC4CC077700ECFA7D08027B,SHA256=B3EBC4B9EB1957E667161E4B3AA2035CE4DC84286AB8EDC0BDC5F4548879606C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540457Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:51.645{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B326B1593299401E9ABBCF2020A8C578,SHA256=BC7B7D46B5CCAFC7EBE18A7C31CFF9C3089FDBDEA440B5D35F153B4257490F22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445467Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:51.246{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77E85F769750F0AD46435683DB68778C,SHA256=9534909C46C6F76051EF7DD94B5C356FA46887374BBC24E4E7B6B78A8A64264B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540456Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:51.614{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=387EB88040802616F7FFD7492ADB91CF,SHA256=75A8C0DB8DB0137305698DF5260800CC5DFAEDC1E603846169B5AD769859F171,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540455Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:51.614{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B4FDA8D18A7270E144A4D90D0498683C,SHA256=F4FEC5F89D39D4633BE7D1743D74C4941051D9633A9C177E017C6B7AE46B8B8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540458Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:52.645{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D322ACC597E188535EE054BBD07CB121,SHA256=14012E6F71C62DB0091303B5BE808E4FC42B42814AD32802AD3EFB3D43DE7234,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445469Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:50.746{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50736-false10.0.1.12-8000- 23542300x80000000000000001445468Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:52.263{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A642A7A5359FAA5F3488DA12D5A09D2,SHA256=2DA1F5FE9BC8A6A55E579FB50DAE199984C3A56B5AB743623C5E4D25E7ACEDC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540460Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:53.645{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=800810EA3E8C68F745843E6BB5D92B29,SHA256=51722F5CE2F038115EFB0BBD1F3EAC1243C88CF2262ECEE7157D83FC149D4700,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445470Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:53.292{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51E716F464BC0F8BEA37881315CC24EB,SHA256=5932C3FA2721B1E09EDC8621CDAE720B4FAC7A34D35F6064F2D8859932D4F3E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540459Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:50.529{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65089-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001540461Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:54.645{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FAE05BF70ABEC5C2698A4EED4B48F38,SHA256=AB9AFDB730456479EDBEFD77008AFE5649EEE1DDB59966B8FF62B721BF6E717D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445471Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:54.324{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6A04E025BFFD3E1A892795B6FA5DE6B,SHA256=1C5FEE0551CA40D26DD40B31A7DE35EB271A3C96BC2D939630860E89264675D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540462Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:55.645{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79ACE80185672C88FA5E144872F870F3,SHA256=6B8AD2C92547179BCD901462FB7B375A4131A327DBA9EE7CA97DA5EAC036CC10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445472Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:55.371{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5ACE5EF2506A2F4AE5E7A06B0542C25,SHA256=28217ECC37B696F90496E84F9E4439825661FD783953300B89FF969494F8336B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540463Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:56.661{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58668961BE161298A089BBD341B21647,SHA256=8B9E22F6CCB4C137BF934DCCF487750A4F41ECC117BC7886CAF888E348552552,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445473Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:56.402{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4FC29AD879F47BB5B8FB8D0783C27BC,SHA256=3BB3E8E07A83FAD36EC179F6161CE02AAEA091B0FCA8B10A7603018030C8A0AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001540472Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:57.786{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2BC1-6154-0803-00000000FE01}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540471Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:57.786{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540470Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:57.786{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540469Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:57.786{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540468Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:57.786{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540467Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:57.786{5EBD8912-18A9-6154-0500-00000000FE01}4165172C:\Windows\system32\csrss.exe{5EBD8912-2BC1-6154-0803-00000000FE01}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001540466Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:57.786{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2BC1-6154-0803-00000000FE01}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001540465Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:57.787{5EBD8912-2BC1-6154-0803-00000000FE01}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001540464Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:57.661{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5830880AB95659FDA614AAF76B9839B,SHA256=CE2E46DD016FC9981273A39D28407EB65F93D3B411A411E9CA688C91B3D23625,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445474Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:57.433{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC7097B6ADA8BF47A6252FAF3CB59C1D,SHA256=A9D15ACECEA41990DE545CC01D085BB195223E363FA0F54BD152851B29A82EEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540492Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:58.802{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=44F97EEA9E5AF7DF400EE22E66D89813,SHA256=7606E0B99CCB9454B772E231F230D0C8624101E5D8C47173FEC5E4C2CD2D2486,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540491Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:58.802{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=387EB88040802616F7FFD7492ADB91CF,SHA256=75A8C0DB8DB0137305698DF5260800CC5DFAEDC1E603846169B5AD769859F171,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001540490Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:58.786{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2BC2-6154-0A03-00000000FE01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540489Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:58.786{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540488Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:58.786{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540487Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:58.786{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540486Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:58.786{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540485Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:58.786{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-2BC2-6154-0A03-00000000FE01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001540484Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:58.786{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2BC2-6154-0A03-00000000FE01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001540483Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:58.787{5EBD8912-2BC2-6154-0A03-00000000FE01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001540482Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:58.661{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=489756321CA026E2E5F6EAC06FC1A813,SHA256=E68129410DB0574107A86753DAC63DDDF3104F08B799F33A10C898C1C5A9EAEA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445476Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:56.762{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50737-false10.0.1.12-8000- 23542300x80000000000000001445475Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:58.464{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF33263EC017C8043B60536B25A6F178,SHA256=1872E30B7698C4D7C419EB54045E180EAD0C9D6003591581C4C2A89AB81A59FE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001540481Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:58.520{5EBD8912-2BC2-6154-0903-00000000FE01}47044252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540480Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:58.286{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2BC2-6154-0903-00000000FE01}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540479Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:58.286{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540478Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:58.286{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540477Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:58.286{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540476Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:58.286{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540475Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:58.286{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-2BC2-6154-0903-00000000FE01}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001540474Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:58.286{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2BC2-6154-0903-00000000FE01}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001540473Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:58.287{5EBD8912-2BC2-6154-0903-00000000FE01}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001540494Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:59.661{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1001652DB37C8BCD7E481245BF6DE69A,SHA256=262AC08D5BEA2E0BD46913DEC6784E66899694384A2AA744817DFEA0617080F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445477Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:59.480{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3686E0BC7C9293D615DA748498A16EB,SHA256=6C278FBC4798CF59803E53EC93A0FC440439AE1B3F479F86728FF1D33E33BED6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540493Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:56.341{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65090-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001540495Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:00.661{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11953596121BB9757FB17945647D45DA,SHA256=7781B72128B789F7EBE100A63BC930DAC7451A1752632FEAC427DF5C3D250217,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445478Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:00.511{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73914047B1DDCFBEC11388D2779E2D37,SHA256=A52D09AFB745C6B4B4C5ABFB84BC8C95AFCFF9349C74BF0C729FFDF37AFA6912,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001540506Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:01.708{5EBD8912-2BC5-6154-0B03-00000000FE01}34405668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001540505Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:01.661{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71AD5D3616E33E9292D6C04E9B9D6575,SHA256=5AF30591FC0BBF9FD406DB6A5A86D293F72220D334950B4B7C6697B7E0939AE3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445483Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:59.942{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-15553-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001445482Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:59.917{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-15305-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001445481Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:01.527{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E251368969F34DC4B396AEC605D5717,SHA256=1C5BABAD58877F2E72F0DD5E17C7331EB844DAE233A986D135FC020A22B696E0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001540504Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:01.505{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2BC5-6154-0B03-00000000FE01}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540503Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:01.505{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540502Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:01.505{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540501Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:01.505{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540500Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:01.505{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540499Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:01.505{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-2BC5-6154-0B03-00000000FE01}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001540498Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:01.505{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2BC5-6154-0B03-00000000FE01}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001540497Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:01.505{5EBD8912-2BC5-6154-0B03-00000000FE01}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001540496Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:01.130{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=44F97EEA9E5AF7DF400EE22E66D89813,SHA256=7606E0B99CCB9454B772E231F230D0C8624101E5D8C47173FEC5E4C2CD2D2486,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445480Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:01.324{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B0CFE7501F25F1D6486A7F79869EEACC,SHA256=C2C281DCCD0850010800103305DB98F46D85E7FFF17CF4C82166A0B2852F8688,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445479Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:01.324{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=75AE83D1F66CA4045F3626D5B71BACE7,SHA256=F96EE7443F6CBA29660333CEC50DEA479A85934802C0A0B0E6E9D629EAA6FCAC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001540527Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:02.895{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2BC6-6154-0D03-00000000FE01}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540526Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:02.895{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540525Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:02.895{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540524Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:02.895{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540523Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:02.895{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540522Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:02.895{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-2BC6-6154-0D03-00000000FE01}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001540521Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:02.895{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2BC6-6154-0D03-00000000FE01}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001540520Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:02.896{5EBD8912-2BC6-6154-0D03-00000000FE01}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001540519Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:02.677{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=166B742B4E9B48D1632C828CAA890011,SHA256=06BFFF990A5713A4EB5E47A125C7C39DB5F18ABDF614C3C5E47718C9D61533A4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445487Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:59.999{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50739-false10.0.1.14-49672- 354300x80000000000000001445486Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:02:59.996{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50738-false10.0.1.14-135epmap 23542300x80000000000000001445485Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:02.558{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F3C6F5C46A5C652B03755B5C88ECE75,SHA256=78D16A5FA98242579A4AA1A766919A36AE1D149D9AB3D6F54D5E421B304E1A57,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001540518Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:02.645{5EBD8912-2BC6-6154-0C03-00000000FE01}37643140C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001540517Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:02.536{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EFF398D98712CA9FBCFA69DB58562BEF,SHA256=1B9D79F418A934BE3E8A4BF631A2D1D901759D065017BE1FAC47B705648F155A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001540516Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:02.380{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2BC6-6154-0C03-00000000FE01}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540515Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:02.380{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540514Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:02.380{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540513Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:02.380{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540512Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:02.380{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-2BC6-6154-0C03-00000000FE01}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001540511Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:02.380{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540510Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:02.380{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2BC6-6154-0C03-00000000FE01}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001540509Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:02.380{5EBD8912-2BC6-6154-0C03-00000000FE01}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001540508Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:59.310{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65091-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001540507Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:59.310{5EBD8912-18B9-6154-2700-00000000FE01}2944C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65091-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 23542300x80000000000000001445484Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:02.449{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B0CFE7501F25F1D6486A7F79869EEACC,SHA256=C2C281DCCD0850010800103305DB98F46D85E7FFF17CF4C82166A0B2852F8688,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445489Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:03.574{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=70924D5B9675CACB0B60F72681C396E9,SHA256=21E6822105B0656B3A6FC5D1DE8259AC1B4B5AC5FF711257FC6929C2AAD32018,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445488Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:03.558{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58214374AC54BEBA2DDBF11CA80D3287,SHA256=0F559F18FE0B7CABC85F50BC8BADBE8DA077BAB47C0095BE39D08724951BEEA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540531Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:03.755{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CD252E8F09FA99D943D1F64C3D8D9FA,SHA256=1875612118E116B8E011317500CDECA56AF15B44D78260D9569E3D58535F7A50,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540530Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:59.558{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-54250739-false10.0.1.14win-dc-429.attackrange.local49672- 354300x80000000000000001540529Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:02:59.556{5EBD8912-18AB-6154-0D00-00000000FE01}908C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse10.0.1.15WIN-HOST-54250738-false10.0.1.14win-dc-429.attackrange.local135epmap 10341000x80000000000000001540528Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:03.083{5EBD8912-2BC6-6154-0D03-00000000FE01}50324856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001540542Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:04.755{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=366DC94C051D8BBB9AB7EE187526A320,SHA256=F4EF2ABA3F4D61A0ABDB86338B8CA2336C0528F07EB78D035147A551DB9509E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445493Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:04.652{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE3BA0D177549A8FD2156EDEF8BC0928,SHA256=501AA42B4A30E774637277F70EE49D05C2F34783992614268114CF6C66A05184,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445492Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:04.574{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A666D0A40E02FF25DDC9DB3B9E6A318F,SHA256=AB9B1577B4F0EB739DBD4CD2710A6C0FBF482A98DEC937DBCE7A6A0E48F08DED,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445491Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:02.169{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-29515-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001445490Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:01.050{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-22361-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001540541Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:04.661{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2BC8-6154-0E03-00000000FE01}4384C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540540Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:04.661{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540539Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:04.661{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540538Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:04.661{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540537Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:04.661{5EBD8912-18A9-6154-0500-00000000FE01}4165172C:\Windows\system32\csrss.exe{5EBD8912-2BC8-6154-0E03-00000000FE01}4384C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001540536Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:04.661{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540535Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:04.661{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2BC8-6154-0E03-00000000FE01}4384C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001540534Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:04.662{5EBD8912-2BC8-6154-0E03-00000000FE01}4384C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001540533Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:01.357{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65092-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001540532Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:04.114{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4730DE711948F1C30F971E4B97AEE46A,SHA256=8E2C6B71D6CC8F811C0D27A6AF828981E3CEA3F401D24B22564EA644F1411287,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540544Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:05.763{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F17D8160455838F9E708F7C94F0B8F1,SHA256=5883E87513F1A9FB40C55B5C9AE3F5333C20A40CF2FF3C3E5CFF94689068C7C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445497Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:05.746{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=517891D842D86BFBBC38246B55FDB195,SHA256=D7C57EFAC6D2488812E1AE3743C336BBBF173A76D0421362B80460A4FBD0F72E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445496Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:05.590{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D24E4776148AB73E27E696A96492D253,SHA256=A8E8DC44845A226903CA6E535391505D2EB153576BD0A8C300FE00340A3C55F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540543Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:05.669{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9E043E877F0397AD1FE232BA5FB78FF2,SHA256=46FD639289A81D142CC6F28429470BA820E80A2505ACEB981CDEC431EA24BE45,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445495Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:03.283{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-36452-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001445494Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:02.792{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50740-false10.0.1.12-8000- 23542300x80000000000000001540545Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:06.763{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A68B49849482D5A7EF4E8F4F330CC3B8,SHA256=015D51708BDE1D8BC2714D6E77AC09CC8A487554949E3E53AB8A6FCAB14BA95D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445500Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:06.808{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B36B5FFA65DC6049ACF1B007887D578B,SHA256=350CD0A4BA8FEC10ABEB7AA8DB0BBE69C25EB42DDED8D8960FA492A021B35BB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445499Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:06.636{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C66BD8E43028C83BAE0F8FF58C1E333,SHA256=EB766E1B3085C6DE10E00B4B68A8BB7986DAAD8C46817FD6E8C834180A3B3AD3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445498Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:04.375{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-43056-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001540546Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:07.763{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D48B33A83C5A0E7496C0E047741822E,SHA256=C5993D203BB48D7EF6A62057126E8E9893172C23058519A260E665284BE3F1BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445503Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:07.933{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DDD93D6871FA9ED2EFB456BA68B14234,SHA256=7D1842D1E76C088A4E39785056BD74E9479374DF24FB6CF2EEA107862E0FD0AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445502Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:07.668{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22530FD8292E6B27109EE09FD2BF383B,SHA256=A140E6EA976B370A3E989919B0A76DDF15262BD4F5742120904E696D39AAD286,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445501Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:05.455{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-50156-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001445505Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:08.683{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA855DF44ABAE1BC47CEC4FCF4A8DC3B,SHA256=CC3412CE14AF63BB42F6A7304E675686AAFEFFE83DD73A6285B6E4085A1B5C0E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445504Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:06.548{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-56775-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001445507Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:09.715{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=538A92392FE38F1B01F635AC985416B6,SHA256=82BC9A88C35799260EC1584648F3D5852F75542E67B60C1E23B2D5ABBDA73712,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540548Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:06.475{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65093-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001540547Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:08.998{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B3E009D902F581DC720C5FD912C0CB6,SHA256=097B54E0658C7007A6A39EED9C03C0D27F700C3B3BBAFF06031BF083B201EF38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445506Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:09.011{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8D02B6A6A9EB8C06F66391B481BD1513,SHA256=86AD515440C97465AD453A2684A0565D838667567E0F64F6117015E2E62B7165,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445511Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:10.746{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EE4038C5C0B99DEA699F6D7216C5D58,SHA256=6FF99728241B835374BBDA2E29E6D466E52D2059E4EA79FF7FB804E4E6E13634,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540549Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:10.060{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13FC780F491AA21FF71C59C9E2C2440F,SHA256=AF1D3D1670F8313B737C94F1E9BBE1DFE187C278D99D28F79712179EC3D01E4A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445510Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:07.855{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50741-false10.0.1.12-8000- 354300x80000000000000001445509Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:07.641{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-4680-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001445508Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:10.090{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E21B1E0EED1B407DD0B4F3E1FF148B3B,SHA256=2CC020ACFA3847A4372E0F528A2406C686C264E6265D84BE10FF80934CA5F077,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445514Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:11.762{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C03079B5CDE1D477A5776DAB82954B2F,SHA256=47F13AAD019D547D516A116B0ADB0ED96C9FEA83501DF4F82D213D1885DB82FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540550Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:11.076{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76E9BB108CC56EEFBD93E0589FBE941B,SHA256=1CD7AD1DFAD97A54E8B422D28AD4D5CCCE34D16D5B6AE64CC6AFA8F9C9918083,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445513Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:08.720{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-11586-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001445512Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:11.168{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=89F54B6C32AC6589A7D87C87E058FA2E,SHA256=AE28C64838AA5FE99C47A6C48F3B93761EDB40929B8871C13E17771FC2BA29E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445517Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:12.762{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EE0C744D970CA373C97598EF7D32F89,SHA256=E4406F766478845405DD008A113821F87C21ED3FDB5DC44D705FC3E010FC8182,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540551Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:12.091{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C57255EBEF36BC025D71AF3373E7A7DD,SHA256=61DBAC12E51DAACA74CBE9610E3C57D570ACBC8F809007896AA5D7FF5FC0D0DB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445516Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:09.798{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-18392-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001445515Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:12.246{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A5E057563F481F8B987A438928240B97,SHA256=DAD950622E9E52DA3C5D3AF81764BD18499766F6F5E9C4DE20A409AFB5225DBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445520Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:13.793{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3CE7763D69D029510BEC5461046E46C,SHA256=F664A418A05B05716AFD41716F76F606FFCD2A6554705232B914ED8945491CA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540552Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:13.138{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B63780FD20FDBCD5A8B8E6E75B5B73F8,SHA256=5AC1462FC94A38CCA1190D04B05B599292C060F76A8529F3011D2B80738C1795,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445519Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:10.875{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-25323-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001445518Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:13.340{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=44DD4EF451E0B31D64F3E5106FA37857,SHA256=1BB10A323615857BE871DD4B79C04E4E4645333A7608A7DF08B6EAF04F021423,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445523Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:14.871{69CF5F33-1899-6154-1300-00000000FE01}296NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=64F0C1A8110CD483D1E1891D962C9ACB,SHA256=6EE893095C832F5864063035C8018758182B791D247D9C731187497C8441F8DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445522Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:14.824{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7C5D5EAF94FEB37D6FF168CC6B33913,SHA256=91B8A16F927A1437E1181D9805D5E18EF868B1495CE12E8AEBCBE5909D24966A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540554Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:12.428{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65094-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001540553Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:14.248{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDC73A3F6BDBC3DCA82E14464FBF3C07,SHA256=EE5121D37337AA59E31AC10B4475D9F377BFD4EAEFC7B7D05CBFAE69F2427CE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445521Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:14.418{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5F4528F04EDC77C546D70A128E6EAAC4,SHA256=0C83C7B59BD787C69EF0EFFC3BFC7D25A56C83D4D482861FD4F03D5CCF3D1341,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445528Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:15.855{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD387BD4D8DD4D2D66B29D13FB667118,SHA256=AF0BC619A6A34EB3ADF81A7E1E17B9FB1AEB1D157FE0979A094FC3A3053DA3EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540555Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:15.248{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7102D9E0518D95AFAB5C75B4CAE9BC98,SHA256=BEC82D1B7D2E14CEC509C93C3699C0727C3F65142D7702B3E7D829DFC387DA79,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445527Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:13.678{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse119.167.194.165-52916-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001445526Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:13.048{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-38884-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001445525Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:11.954{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-32136-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001445524Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:15.480{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A0745CA1790A6696604F7CE6AAD229A2,SHA256=136CD959E7DF5DD0BF07C04C62FB4A8D8CB3BB292020FBA62DFD4E6A4184B035,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445533Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:16.871{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E8208A79288231BEE0245FF4BDE309D,SHA256=5A128EB3AEA1F9087B30EF9B8122D74FA0CF51554D4F32EC26752AFF3D5C6F12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540556Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:16.373{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FDE292830402A0630A2A70E2C13F484,SHA256=1716B4FDA8993BF31F849666BA493F9489032484CD80C2418FC20B3A86C0DDF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445532Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:16.621{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=75D5BCF9330E5EA1F910D2E397CA58B0,SHA256=1D317859C876F7DE7E405374947494AB5AD295032A4520E169016B699008EE74,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445531Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:14.125{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-45747-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001445530Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:13.824{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50742-false10.0.1.12-8000- 23542300x80000000000000001445529Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:16.121{69CF5F33-189A-6154-1C00-00000000FE01}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445539Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:17.902{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37EFE6437D037C92EB99328FE0DFFF21,SHA256=6F7B720B1FB26136C8587FE3D88EFEBAD93D2F84798939775A7B3D3C013CA481,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540557Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:17.373{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7F1D4FED058F2418505718A44B8CD52,SHA256=BE4057CB1C14DAAE6F12B972908C30381AC6FA6BD966F6FCD177351B1FE0166A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445538Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:17.746{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DBA79ED9039ED1619F6D57EB16389A63,SHA256=20BFE35A92C3326A4B0EA1B6769B4B90B60986D3F2DEFC6CC5BA35BC7E78B382,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001445537Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:17.699{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445536Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:17.699{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445535Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:17.699{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001445534Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:15.218{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-52229-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001445544Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:18.904{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0525511B445A2A71BE25BFFB249A0FBE,SHA256=4780908E2FA896677F77AA1BC7091D588A4180156421589423786EB9942AC559,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540559Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:16.336{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse210.245.92.42-57090-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540558Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:18.607{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF96354E622DDEB4CCD90F83855D8DE9,SHA256=4866A27EEA8CF263FFE76B8991A041ADA2ED8E54664B53A4A21C63FD008DD667,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445543Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:18.872{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=88788CB9DB7D6EE40F9BE273273C9524,SHA256=1AC3C42BDE0C387198F023B95996FBD4E2A1A90793132223DB5EBD31608A77A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445542Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:18.531{69CF5F33-189A-6154-1B00-00000000FE01}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210929074117-079MD5=0702FCA431B00B594F1E453E1BACB4E7,SHA256=E8701800C5303E9A26BD1B4295F1925FD873002633D318A1D6DD61AA6CF56A5D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445541Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:16.341{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-59278-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001445540Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:15.792{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50743-false10.0.1.12-8089- 23542300x80000000000000001445548Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:19.948{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=751F603E5C2CC7D625DD1B0DC8345642,SHA256=05371DE0C9BC3F256C7C1BA6EA08F0AF276A51685E0784B815FCAF38635A829B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445547Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:19.932{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F2528C65D6EB3D249011024A51FF96F,SHA256=931A0EA8D33B8484B37B6F89D5D98D0AFE3958601D96F512E400153A6479FA88,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540563Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:17.538{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65095-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001540562Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:19.716{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DFAE04761B8F8DD38D7FE42F7AFA11C2,SHA256=B4FA84BCCBD312868CFA97D63517BA99B586BCF0E5BAF1F4595F0F996AFCBD14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540561Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:19.716{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C81AA4D53BD973DDE9D3BB284FBEF7C8,SHA256=9969A2BF8AFF53834EB2D4CC6A41CC712DA7D3B08A2CBD4E1A2834217AEE81F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540560Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:19.622{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DF3430918153A8E77E18409D8770A43,SHA256=9FB4A3F603CFE038882CA0F5446E79B1583879AC485A5DA28391A240C9909B37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445546Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:19.545{69CF5F33-189A-6154-1B00-00000000FE01}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210929074115-080MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445545Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:17.466{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-7159-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001445550Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:20.934{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F6EF0DA109DFDCE092D6E5D4654F505,SHA256=C7AABA167E55FF63819C75DD24E31F23086E5425FC811B631138FB9314762DBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540564Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:20.622{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0B5E2205044D9D2F0244E593E99EEAE,SHA256=E78BCD458E1C81C42078DF1DC22566115E5EFE388AB69271DC32AC26B908E8D4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445549Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:18.580{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-13818-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001445554Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:21.950{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC3DF52C531B8002FF87870D846E4A6D,SHA256=CC926A1A78FC6355BB85FE1135E8C01E9626F9F1CDB3669A2649328E3F46019D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540593Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:19.217{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-41209-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540592Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:19.174{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-41061-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540591Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:21.622{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6934356522C0C9ABD22CB4EECE62E507,SHA256=F6B235A985F5D8CEB0007BFFE59DB3E9559EA8495BECC8811100C7FCE0725544,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445553Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:19.777{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50744-false10.0.1.12-8000- 354300x80000000000000001445552Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:19.656{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-20422-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001445551Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:21.028{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=14358960BD1EB8037E825D6132C4EDD5,SHA256=072874A56A38B9C75DC41CD50E157E4B6751BE096DD4A3E1B0C3A1A5415927F9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001540590Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:21.576{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540589Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:21.576{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540588Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:21.576{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540587Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:21.576{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540586Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:21.576{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540585Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:21.576{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540584Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:21.576{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540583Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:21.576{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540582Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:21.576{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540581Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:21.576{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540580Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:21.576{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540579Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:21.576{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540578Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:21.576{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540577Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:21.576{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540576Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:21.576{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540575Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:21.576{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540574Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:21.576{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540573Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:21.576{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540572Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:21.576{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540571Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:21.576{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540570Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:21.576{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540569Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:21.576{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540568Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:21.576{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540567Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:21.576{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540566Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:21.576{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001540565Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:21.060{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DFAE04761B8F8DD38D7FE42F7AFA11C2,SHA256=B4FA84BCCBD312868CFA97D63517BA99B586BCF0E5BAF1F4595F0F996AFCBD14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445556Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:22.981{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3EED6760F0F0FAA50D75E4971408B43,SHA256=24C9047EA2A8927AFC95810C607ADBDCE86F7E562A2C200AB474F7413F8D1A65,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540596Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:20.382{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-47883-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540595Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:22.701{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D266277420B5A84CADDE2AF8FBFEDBE,SHA256=D8C82671BCCD60E89E7E5814567293C35A5FEF47A6F6629315BEBACD12EE8B5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445555Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:22.091{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A470AE95C81DFAFBECD641293B8AF6D4,SHA256=11EAC2A4D9776B82FCBB987586F1F10E39E0FBE9CAE25754140F0380769A4375,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540594Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:22.310{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=871C6008D64D3B2A99748DF3D103AB30,SHA256=6D7E095CD8FF5813F93E99243BCE8841B8B35A24DE70471C9CF3C83C4D62DF7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445560Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:23.981{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD1EF239E6CC7423DED7B2A50E1128F7,SHA256=5FD53EC79D92E7BA066D6A2405B5A5F0994362027DE46A7F43C2790FCB5E8F6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540598Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:23.701{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=001D4D9222308E1A86BAEF0F94E1DB7E,SHA256=C4AC4150D2A9CD16B2DED8F7A67AAE1A7DC301F1F65768A4FE11AC8C2AFA5260,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445559Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:21.817{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-33871-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001445558Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:20.736{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-26995-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001445557Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:23.184{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=031FA10728D78CB54A96075694689F78,SHA256=8AF3C14C7A6D2BB9D71095AD0C54ADBDA7EEE9F898C8FD79B47A64D03EB5DC83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540597Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:23.388{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=36EB508CFC9B1C4B024AB8BC7FF5F61D,SHA256=6A9418E323813FE5CB4E70ABDE9D9A4562FBA4F4A63A3854041B9F6C48DC7E8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540601Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:24.701{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82BCA43A54FEAFBE137D5F8AA0ED0864,SHA256=A5526C669D401D8E727335A283705F851386C0B39C9C72BB760137CFCD099288,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445562Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:22.894{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-40528-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001445561Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:24.263{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0D3C1A5990363BD9CF63252F6BC3D6BB,SHA256=F4DA27F42915C7BED9E7020C519DC32E944E3009CFD96C69E9D5BE3E1B1A3D79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540600Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:24.622{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CD34FE20AA84F5FDF5F39A413DDD28A7,SHA256=E6F57578A0441A4072E824F3610FC626635CB638E88882EE82EF841D60C9F04D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540599Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:21.620{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-54632-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540604Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:25.705{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94DEE45F79294DA63470629328C1FC2E,SHA256=0193733038DEAA77E1B827D422E6EE8D78B23989293F5D0E905A9EFC3C8C0F4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540603Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:25.705{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0AE4C78A42313225231BBDCA22897FBC,SHA256=3E5A2A4A45B8A6A77749DCFB4156FCA2F8ACFBC185BAF757C42104B634DDB45A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540602Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:22.698{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-1808-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001445564Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:25.341{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B41EB3A1506300BC5D1D017103F5574E,SHA256=A395A12D05592C0FE7A3ED91F9B8518C114C30C66A6A65742D98DA061716CF9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445563Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:25.060{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF12E5D0C6039B6BCC1B3F145271E86C,SHA256=99B3592FD5F7D909640E547C415BD6FC7660342495E42AAD908C539629865F26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540607Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:26.817{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=561ADD84E3F9E8D69DD82DAD4A1EF6A0,SHA256=ED854F42574DF9E4407B631ACB1B32903CE51AA02BA636914454E4AFBE96CE54,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445568Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:25.048{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-53848-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001445567Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:23.971{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-47211-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001445566Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:26.419{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=59B8AC341DE5B7DAC2349F86E428CCBA,SHA256=6A960BA33D74795F74DE12A07F4240A848AF0FE02140A767EF559E12F1F94608,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445565Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:26.075{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5E203BB058C909DFAF5AF572F093747,SHA256=5CDD20EF79628A91593CBA0F1DE7C312E66A4AA005E9182E595D812F9351D195,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540606Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:26.784{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FFB2BE6C06E09F6F520A310BD6EF9D73,SHA256=DF72548FDFB52D15516EA98B21739AB7654CDAC736531251DDEF5CF98ACCD39F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540605Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:23.522{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65096-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001540611Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:27.909{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31BF3A8B518DE53EFAC6280BE2EF3B29,SHA256=B5624E26E81048B6C85DF089152271886F83611993C92EBE09E84698B509C6FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540610Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:27.862{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12985A14FC50037F582F7D0C95028362,SHA256=035E5B71B402BF65921BC4D5B8BB1A3F91768661602EE8B56CDF839BDA1D7DDA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445584Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:25.809{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50745-false10.0.1.12-8000- 23542300x80000000000000001445583Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:27.528{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C7732ECD2987F80D3ED04B7BD1D25351,SHA256=7B198604605527E3A49DD1F5E9CD96D111793A325AE167B8B9DD53A251334D92,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001445582Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:27.528{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2BDF-6154-D502-00000000FE01}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445581Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:27.528{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445580Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:27.528{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445579Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:27.528{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445578Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:27.528{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445577Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:27.528{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445576Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:27.528{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445575Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:27.528{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445574Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:27.528{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445573Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:27.528{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445572Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:27.528{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-2BDF-6154-D502-00000000FE01}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001445571Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:27.528{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2BDF-6154-D502-00000000FE01}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001445570Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:27.529{69CF5F33-2BDF-6154-D502-00000000FE01}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001445569Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:27.091{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D68E0C1FE1F547E6320150E6933EBAA,SHA256=4E8F4037CF0D11CDCDB1C498FCF6D3E4AB6AD344445E4554D80AA5302540A673,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540609Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:25.016{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-14387-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540608Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:23.932{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-8404-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540613Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:28.987{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A5F98B4649E60BCA5730366554CBD74C,SHA256=91E1C3F7551BDD4F6C7A8C4AE33F61762F2A092DA97A3378B06E1099366A72EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540612Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:28.893{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76462F35CADA1DA306C0999D1339EA09,SHA256=19ED585AF1F90C45E5C7FE17F934374BE92863F408E1C9229D95D3A234545FB8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001445601Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:28.716{69CF5F33-2BE0-6154-D602-00000000FE01}6483520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001445600Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:26.131{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-1525-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001445599Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:28.560{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DFC448B7E2FA47B79047BC0E8DC060F8,SHA256=E2808EE8A1E1F9559A1211C6823A7378818178CBE816D2FC08EA29916BE0320E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001445598Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:28.513{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2BE0-6154-D602-00000000FE01}648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445597Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:28.513{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445596Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:28.513{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-2BE0-6154-D602-00000000FE01}648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001445595Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:28.513{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445594Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:28.513{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445593Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:28.513{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445592Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:28.513{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445591Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:28.513{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445590Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:28.513{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445589Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:28.513{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445588Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:28.513{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445587Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:28.513{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2BE0-6154-D602-00000000FE01}648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001445586Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:28.515{69CF5F33-2BE0-6154-D602-00000000FE01}648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001445585Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:28.107{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBF017070A768AB3442604615E4068F5,SHA256=287A0FE8B2DE929756C04818D10092A95D2CB90EA28F96D6F388250D59FE9860,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540615Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:29.909{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DA82FF1E7D75C4964B9BA5D0B4462C2,SHA256=9DA844BF01AB5AD7880D5D559ED11661577976D372EC6784E9D7DDE3E02921E5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540614Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:26.108{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-20543-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001445617Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:29.700{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2BE1-6154-D702-00000000FE01}1812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445616Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:29.700{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445615Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:29.700{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445614Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:29.700{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445613Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:29.700{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445612Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:29.700{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445611Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:29.700{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445610Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:29.700{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445609Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:29.700{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445608Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:29.700{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445607Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:29.700{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-2BE1-6154-D702-00000000FE01}1812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001445606Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:29.700{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2BE1-6154-D702-00000000FE01}1812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001445605Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:29.701{69CF5F33-2BE1-6154-D702-00000000FE01}1812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001445604Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:29.669{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7914B435190773B3E26943AC6AFD0B73,SHA256=4EE2660990BBC0D00ACEF4953BBBCE618FE7FDF9FA3A0D109D9812AFF3E310E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445603Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:27.237{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-8146-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001445602Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:29.107{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E0300698E651517FD3C46F971E33D67,SHA256=39848EE22C811B2C7EA62A06DFDE5125769895B73D0BD0ED32A723AB027CC41E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540617Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:30.971{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6CC914DDCE885BE5CE9663DA0D7BFC9,SHA256=9663917CC3B279176F7568AA6CC1262C838CE5877368731E13C6CB98C3CFDB02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540616Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:30.096{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3D90EDBF07DBB00FFC5FDC9430D8930F,SHA256=F7A3EDFC3D004DD66551AFBD34CB416FE26CD3F3982C69B9196DB121DED998B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445619Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:30.825{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F424D9398AC33FFD4AF633225311D084,SHA256=9FA13E3955FD8E94244540BA203E678B00CC38BB75C460BB39C7A0DC517D919C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445618Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:30.153{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90548443075C50AECBDBCBD81B4FA3D1,SHA256=B4D40EE218422494C16760CA8DA6BBDAD0B61FE53D91805423757C796199DB91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540620Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:31.253{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=17E0A9102E2D7F74BC2AA04E930D4CF1,SHA256=6387EB05A6D40D41163DFF36B2A72358C3F800E72852BAD3770602A43C60976F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540619Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:28.309{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-32793-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540618Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:27.219{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-26819-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001445624Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:31.888{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=54E79215A421C4F3EC0CF7297B7FF1C2,SHA256=DC2A1266C134B5D996640E7AA6CA585062A69961FCFE84BF7AE868543A63764F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445623Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:29.407{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-21321-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001445622Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:28.314{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-14787-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 13241300x80000000000000001445621Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 09:03:31.423{69CF5F33-1899-6154-1400-00000000FE01}368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b510-0xe0140a5e) 23542300x80000000000000001445620Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:31.169{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCC48BDCE11DA67061E363609035B72D,SHA256=F069288B5CC4B361B3E2EA651D80DD4040EFC40AD19DB2EBA51CED8D102E5D81,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540624Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:29.418{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65097-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001540623Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:29.406{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-39029-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540622Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:32.330{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EC01D8139959A051978CD04CFC7193E8,SHA256=981F759B2555042B4655DA06DE5ECD5B2AFB112AD55DC488B5C0BE933976AF33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540621Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:32.190{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FE4B3C977CD273871D6283BBAF02853,SHA256=CB822E1D39480C3FAF56454193E8FC4E0712BE7D629AEFE495FB8AF9A8752AB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445627Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:32.966{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1263897A89E8161279DE586692F7551E,SHA256=F0F7D207835C5E3426B3B4DA742945AF4D10325DCE3EF76459F90CB8E19BE897,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445626Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:30.518{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-28124-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001445625Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:32.185{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=215C877549F1ECCF37946AA63837F8FB,SHA256=649D4FE25587F3B9776A3738076C20D38AD569356F5802C668B04B1545241FDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540628Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:33.799{5EBD8912-18AC-6154-1100-00000000FE01}444NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=D7D067CB0D4AB7493401DEDEB32CF8F2,SHA256=622CE93A0AD9D89620788F6245662C7D807BBEEC9270E5D1678DBE8104A8D5D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540627Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:33.424{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C55288640F25D7720B3C5308C688C8BE,SHA256=ABB7166EF9123C5C9386AB839DE907F9B6870F965E736CD1A57F09727C5103E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540626Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:30.564{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-45408-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001445628Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:33.200{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=708A02E61F97AB8B49D26C915D337620,SHA256=661C77C5AE4D45B83629712859B09CAD23768111FF5C7641A4DCA478C9711525,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540625Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:33.408{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F8A4A10C85803E9C5278AC320C6F04F6,SHA256=2D95D575E9C7D4600A46857DC0538ED05A5F21D47BCBA373D936E60497E09BFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540630Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:34.658{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11953CB074CA13B458617FE7458B9ADD,SHA256=9CB4D91175E22DCF447BC7CBA2F1E74823451C2AE6A3652344894634F942AEAE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445633Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:32.674{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-41551-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001445632Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:31.825{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50746-false10.0.1.12-8000- 354300x80000000000000001445631Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:31.595{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-34854-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001445630Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:34.200{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63699CA4F0C3FD352464719FFBB84690,SHA256=621CE8DE12CE24FC33E7B28E73AA233314177514AC2AAC465C7630C20F80D197,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540629Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:34.612{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7713799384EB6AF4A2A8917A1EF43F05,SHA256=DA4080AACE14EEC7EF004039351A9ACC44CA7E5A5314DEF26F76641A0151891C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445629Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:34.044{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1074BCA90000D56C24F04D09BE722ABC,SHA256=8BE1C02C82746BFFC848CF95745A86599EE4FD12461BD5AF74EC09A19AE68614,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540634Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:35.737{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DA698D24AFE902DE4D22302DECA7AF5B,SHA256=EC0B0F260571B494CA0646D60A1840E5B7B8935D43B6681A7DD799F1549CCE8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540633Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:35.690{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05825F190C2340C8516D182DC62475A4,SHA256=5DEF59379FACAE095F0AB259FA1927ECC8CCD1668E05B4D9CB05434A3158F45D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445636Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:33.788{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-48059-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001445635Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:35.263{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4A0F0969CE3D4A1E80B13B1744AF6F1,SHA256=9916368131C913637A09E04A2DC721A29148685DF8EAF97E177FFAD2537EA6B2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540632Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:32.764{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-57513-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540631Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:31.640{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-51470-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001445634Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:35.185{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7E954C3C2A079CD2DBB830A664D584BF,SHA256=44AA1B49752BB94820AB86F8BAD3A361399F2CCB13D020D6CB0331008275313F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540638Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:36.815{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4C1AFC5073E22C9052B5190A3EB6B3B6,SHA256=1812E407A3C718F107EC2A9355277FFA3D60C319CEF2BE77EF87B547E10C29E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540637Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:36.705{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=206697C3396A26F295832915549D069C,SHA256=B2A621585D4D65EC05F2EB53D408D2B0A69303CEC92E256449E047E35D027E43,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445639Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:34.895{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-55231-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001445638Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:36.263{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BAA17179C1FB9BA5C1FA87B251B4CEE8,SHA256=8317A24B0BE403114CDF04C60E7B30BB2ED909817CFF1F12EC3C2910598D0AF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445637Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:36.263{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C995B1352A0AE639B7193F350FFEE57,SHA256=3546EAB2FD434F00AC19952484320AABA1598C57199E9638C23BAF2E491E6593,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540636Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:34.496{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65098-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001540635Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:33.936{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-4960-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540641Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:37.971{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B9B955D5630960BB17DBEC7CAF2D0870,SHA256=455B1D9DA192365845C5CB2247DCADB19FA7DEAC96C98B827D616D68F46E9D09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540640Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:37.705{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72ECF25D5B017E1842E04A993BD004C1,SHA256=404229B2B3A06171B933474E99167A5EB9B52AABF594E05B2832313866A65B2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445641Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:37.357{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1F3153CD070B4E01468EABD4E3BEE401,SHA256=75F2803924E6EFDDE49153F9E687D21056FBD01F0CAFCD11A4501A07151B6EC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445640Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:37.294{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F3B36F0228CCE1F71AE2E2878E6D4DF,SHA256=60EA2312540CD1E2E8F9BD2CF65727369D7736B5716C2F86A3A787ADA7E40D08,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540639Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:35.048{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-11384-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540643Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:36.138{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-17319-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540642Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:38.705{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B63C57A8268AECC05C3769524D6BCA6C,SHA256=EBF4203B0F210D36F2A299852BB68B35BFB718BE913BA566562FD8604DDF2837,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445643Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:38.435{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=65D3006C9C3472310F99E7035AAD3F89,SHA256=8A43FFEC6DD76CA9CF72F39EFFD191C7B984F0CAC18905CE712841B3915A9088,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445642Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:38.310{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0976077E45B64735392D5684C086163A,SHA256=004EEA99C7EED776E6DEABF464ED230BFDBB924141FB210AE3EC37D5F4546D96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540645Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:39.705{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76822C93B2CB4097D7A01465AC363C50,SHA256=2C2C3CA77FC030A0F27A84903E03D97014CF1258C6EA86BF75D0ED4617CF62F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445648Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:39.591{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=399AE193165E0432E02B0A723C1C62C7,SHA256=B6791992EC6B4218B2308966BEB2E276AE32FBC0366B4A02AA46947A29C6D7CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445647Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:39.326{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A94475065ABCF42A61CE1CB354A21CC,SHA256=1E6E243508168851B2A3FDAB5A75C8062A2AA8662308C15D16B1C7E87F6C0CF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540644Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:39.049{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=91886A8E05F788ACA7B0B419A7B685F9,SHA256=3443B6A2BC38233500CE620EC14EAA6752D9FB62706005B3983E3949E2BABDD2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445646Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:37.064{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-9773-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001445645Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:36.824{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50747-false10.0.1.12-8000- 354300x80000000000000001445644Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:35.980{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-2950-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001540649Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:37.282{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-23613-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540648Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:40.705{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A725A8299AFDF654FD4E66AA5DD5753A,SHA256=395546262EBF78B280A8461B68A35FEB2C6EF1943911E3404E6FBF7551688512,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445651Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:40.669{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=62348C31245A168BD8B278F08E77D5D4,SHA256=39D875249E70A4C18A01BDB98D52428A5F3B43F26A7AB6D0CE66E62C51B5CF5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445650Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:40.341{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B5887A0FBF790CA4BA7F4F75D530C45,SHA256=9CC8EFB78BBF8E3F45396E2F051D3035904499119C50DA4F5A867AA4EF8D0555,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001540647Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:40.643{5EBD8912-18AB-6154-0D00-00000000FE01}9084604C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001540646Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:40.190{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=23E26EFE0D9BD5B987EF4EAE2DA193DA,SHA256=AF73EC4AB493E5A0DCCC99F0EB2D69C22A6D416AE94CD63E63C578413D0A870F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445649Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:38.147{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-16168-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001540652Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:38.389{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-29487-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540651Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:41.752{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0911288031DD582C634C31369339E468,SHA256=AB2E1D9075267C118BB9EFC995EAAC887D4B2375F339ADA44974E03B0EEDCC8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445654Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:41.748{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB9BC68D3945C26358F0100BDB980BEF,SHA256=C1E7923CD0617E6093E4DF64F027E9B92BB49E0BC6062BCC12D4E3EDF9C9EAAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445653Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:41.342{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEDC12AA900BB53263DF1F9848045EC2,SHA256=167B83B1C4BD07041E65C05C79B1AC4EADE260465356C2E31A0DDAA9B1B85FAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540650Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:41.408{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=706DF556D89F549EDB27EBDFD79FA509,SHA256=820FDCAF5115C3092747B5CD04B46EAA5CF6AC4AA367D393E35C026A2EB99092,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445652Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:39.298{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-23253-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001540656Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:40.340{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65099-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001540655Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:39.620{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-36156-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540654Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:42.877{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F62B2481DA4C1556E44094C63124F443,SHA256=0DCA812DCBFC2C99A5225EE1805D3C8945003E357A7852614E3DE25D926CA346,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445670Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:42.873{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5774B7FA5A3965FCC366C954AD4A4F08,SHA256=842B63F68BE08F9A3DA78C838BF0AB4BE4799338F0F858D064391F40EFD2DDD3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001445669Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:42.873{69CF5F33-2BEE-6154-D802-00000000FE01}22723476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445668Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:42.732{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2BEE-6154-D802-00000000FE01}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445667Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:42.732{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445666Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:42.732{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445665Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:42.732{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445664Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:42.732{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445663Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:42.732{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445662Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:42.732{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445661Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:42.732{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445660Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:42.732{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445659Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:42.732{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445658Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:42.732{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-2BEE-6154-D802-00000000FE01}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001445657Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:42.732{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2BEE-6154-D802-00000000FE01}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001445656Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:42.733{69CF5F33-2BEE-6154-D802-00000000FE01}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001445655Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:42.357{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F94D8A2C5DE25F75FD0D1FC677F108DF,SHA256=837D070BC6659514DA0AD6882BE40303B3CCCD915C17D830B6249E793DAE2A07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540653Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:42.487{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4AB6CA10A6EC028E60492CA599E34CB1,SHA256=23BE034A727181EA2139773957DE5063651BB1687142D01685C2DF422A74CC86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540660Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:43.877{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B31D32161C7B8AD03A4467C30EBB75F1,SHA256=D3717ECBF354C9D8FA0FBCCA7990A8723B2F45459001EC60A878B1B585701AAF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001445687Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:43.560{69CF5F33-2BEF-6154-D902-00000000FE01}1004300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445686Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:43.404{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2BEF-6154-D902-00000000FE01}1004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445685Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:43.404{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445684Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:43.404{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445683Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:43.404{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445682Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:43.404{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445681Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:43.404{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445680Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:43.404{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445679Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:43.404{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445678Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:43.404{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445677Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:43.404{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445676Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:43.404{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-2BEF-6154-D902-00000000FE01}1004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001445675Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:43.404{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2BEF-6154-D902-00000000FE01}1004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001445674Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:43.405{69CF5F33-2BEF-6154-D902-00000000FE01}1004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001445673Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:43.373{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A44F59BAB72F510D9CD5120E7655617,SHA256=89537559D282B980D0831AC4135713EAD5896322DE1070BCF657EEFBF9013E80,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540659Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:41.842{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-48118-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540658Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:40.719{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-42043-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540657Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:43.658{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5C27BEA6AD59DB9A7B9D160D23A05A3B,SHA256=476CBEF60EE32F3CED95CD47842997E18D9116C04D1C9B341AA18FB4B95831BB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445672Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:41.475{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-36528-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001445671Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:40.376{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-30012-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001540662Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:44.940{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86E23A7F7736654DE0056BA9AD93BEBB,SHA256=99A4526AAA4A7A25FC0C9652F6080F6AD0E8D780A53C8FD2A3394D5D7817B256,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001445717Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:44.748{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2BF0-6154-DB02-00000000FE01}2296C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445716Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:44.748{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445715Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:44.748{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445714Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:44.748{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445713Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:44.748{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445712Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:44.748{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445711Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:44.748{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445710Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:44.748{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445709Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:44.748{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-2BF0-6154-DB02-00000000FE01}2296C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001445708Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:44.748{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445707Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:44.748{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445706Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:44.748{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2BF0-6154-DB02-00000000FE01}2296C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001445705Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:44.748{69CF5F33-2BF0-6154-DB02-00000000FE01}2296C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001445704Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:44.435{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFDA9CA7076A476ACA4301D9771B3607,SHA256=4E2089781CFC32A6C407FEC7CC65E530429659A750B35DF6D9FEBE495AA195AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540661Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:44.908{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D5549E63E74DCCF7A3D544BD1BA67216,SHA256=E538A36EBBFBE7D590780C1300D2795410BF87C2C682CB6594F8F9C9991B8507,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001445703Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:44.294{69CF5F33-2BF0-6154-DA02-00000000FE01}12003708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001445702Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:41.934{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50748-false10.0.1.12-8000- 23542300x80000000000000001445701Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:44.093{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9B96FB1189D008728B55BC8F8D399A15,SHA256=5345DADD5884FC20C49F172659D110BD25FEBA39B3B6470E64691F61DBDA2097,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001445700Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:44.076{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2BF0-6154-DA02-00000000FE01}1200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445699Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:44.076{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445698Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:44.076{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445697Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:44.076{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445696Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:44.076{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445695Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:44.076{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445694Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:44.076{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445693Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:44.076{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445692Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:44.076{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445691Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:44.076{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445690Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:44.076{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-2BF0-6154-DA02-00000000FE01}1200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001445689Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:44.076{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2BF0-6154-DA02-00000000FE01}1200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001445688Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:44.076{69CF5F33-2BF0-6154-DA02-00000000FE01}1200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001445720Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:42.631{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-43584-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001445719Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:45.451{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64793D147730D2632CDE5BB6416E041A,SHA256=F52A111CD2BE10593BE5B93F5D6FEF3D16C37106E9B17324405A4D39D49F4FBD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540663Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:42.969{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-54501-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001445718Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:45.170{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=80EBCF589D507094B020A3E9646241E3,SHA256=4FA99ACEB3201A44DC93F4568DA0A2240271E3ADBD7780E551B43F62EBE61716,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445723Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:46.482{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE2840C3444C94DBD6700452C43BA075,SHA256=C46D9D30EAEC940576E0E42E1EC76C15DA93C84DD39A44DDA0B9EC5099D97FEA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540667Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:44.233{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-2163-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540666Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:46.036{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8279C097B86F6A4A6510DC836D41476B,SHA256=78732DCDA72491F25CDBAE427F1EFA65898CEE99B8DEA730091F8529F7A93CE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540665Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:46.020{5EBD8912-18B9-6154-2900-00000000FE01}2960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540664Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:46.004{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E7D03A454866C5424825BBB067E3CD8,SHA256=AD7D8D714DE68E7B7A3F3A65DF6013309C5A7E26887E90510AAAFBD801F4377C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445722Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:43.800{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-51040-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001445721Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:46.248{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=301B20ECA0E584871B1F1ED8D1065E11,SHA256=178D1859DD0E82895A20B3C2DE45A6D9F416397A1F8F9F77E33E95305FB1162B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445727Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:47.545{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F8E776F79417CE3930BCD3AF91B2565,SHA256=46E771741C581484EA97DDE92A042C16AAB30A25412E5DD02F20CAA9BAD4DDF0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540670Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:45.295{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65100-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001540669Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:47.239{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D8723FADAF81E0F7E717DE0B4C9A0B4,SHA256=BB406DFF93BDAC5C13AE829852DB47D6637B1E7C4C50E1599EE4D49C312AA455,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445726Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:45.955{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-5429-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001445725Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:44.877{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-57643-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001445724Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:47.326{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B4ADC77B64261D30EAE02DF2969A8790,SHA256=32CE9604BA696F0CF48CBFC5864C5643461B6207887A7876BBE0B60718F6981B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540668Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:47.161{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=467979886A70EE74E0CB5EB8F3F5D35E,SHA256=8F1075BB056E3794CF1B106289E211A7989306D701109371BB62C288B6097600,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445729Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:48.576{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1071DF9ABCEF0815626C796598D5F46,SHA256=ABA6F2C93C33DC00B1D86509419D2075B17CFA9A37A89D9B4D0C282110C2B781,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540678Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:46.486{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-14651-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540677Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:46.358{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65101-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001540676Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:45.359{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-8339-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001540675Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:48.520{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1500-00000000FE01}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540674Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:48.520{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1500-00000000FE01}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540673Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:48.520{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1500-00000000FE01}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001540672Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:48.364{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C9A0AB60007D72838961EB9B9466D1C9,SHA256=1ED9C66CF65A9AA848DFB445FAD546DDD9F677C34BAB1729A3B1F2FAA9BC4580,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540671Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:48.270{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02A581AE8B0BB4DC4E6B07423643422D,SHA256=C5B08BC0B3DE9577E03A7A4E813739A7E6A96BD380BE2A923AEEF3E898B44C82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445728Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:48.388{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3E02AA4125E0E9BC594986EAA41B9D40,SHA256=FA004DFE373DF0572727A5F757C40E629D1745A1E41F800706265B3E22C10E3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445733Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:49.592{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEBF96B240F9613D2CC0F9D7E9BC2A5C,SHA256=346F118D3DF531A3A5B98A0877EB9AA529C0792DAD3730E0F0CD24773583AAA3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540682Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:47.704{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-21054-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540681Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:49.494{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A3C439CDBCC3FC21EA147759F27BA510,SHA256=8F87501FCCCC1B4ED511AD6E503550A66C21DB6D1FAFD6401FFDF01E3281A137,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540680Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:49.494{5EBD8912-18B9-6154-2800-00000000FE01}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210929074147-079MD5=A9A42281E5AC80C7384A9CB787C868D0,SHA256=3FA67950307563E8508E097058F58FAD833FFA00CAA097776E12802F7A654FF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540679Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:49.272{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F993BAB1B55C6ED4F6674B1029D94DB,SHA256=DCD982D0E0B2AB2E943A5377F329CD807B7D0DCBCC4655A58E1FFE176AC2D3B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445732Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:49.482{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ECD9B1F4CC6890898C008E6D7AB25E84,SHA256=AE4DBEFD95589FEBB79B220D7C0FA0929B2D1766E9A58832365A0C3CCA16B946,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445731Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:47.840{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50749-false10.0.1.12-8000- 354300x80000000000000001445730Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:47.033{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-12092-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001445736Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:50.607{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45D22472057ACC608138A0DC3833ABA4,SHA256=CA5FEC25F092D3DA76EE3F5664BD48024FF74C117646F31EF82332807CE94D59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540685Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:50.958{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B615C26D4768C852185190E1CA1EC4DD,SHA256=8BB12124FA417241734C965DF5514FAB7851544FC441DCF639C105B022EA4ECA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540684Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:50.493{5EBD8912-18B9-6154-2800-00000000FE01}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210929074145-080MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540683Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:50.273{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=068BE877A1028E5DD022ED4B660D8F41,SHA256=C82767EE52DA3B72219D2C8536B78464B34D328F8EFAF95A2A4E082D373BE142,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445735Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:50.592{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E54046E58B935EB806C094746F0151CE,SHA256=C6A453DF3955FF37873E49F544A982A85FBA7C56B56932809309DF6847B87E7D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445734Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:48.112{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-18337-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001445739Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:51.717{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F0E920E6C63D32478E1644F8A68109EB,SHA256=453D697D835655EAC89B8073B4078F369DCC963B861E4D8C122D0CDA135E8965,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445738Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:51.623{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2E89F291BECCF08FD7752F1573DCEBD,SHA256=C781096B25B327C63D3973E1819EAF2AC4C54AA784F45FC794D118AA584A3B93,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540687Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:49.050{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-28447-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540686Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:51.508{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B12A135A817D09D36934F32946FE3EF2,SHA256=8A7492EDF82D139FBD9F453FACD60EDBF33ABB40E2C229F1FEF7DFCE2A60B635,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445737Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:49.189{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-25120-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001445742Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:52.795{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3C6758FD1987318F59CFED0C4676A81C,SHA256=06A2B7B1C473DA2007DB39534CFC8E77CD8AB4D346058968A3CCAB81037FE8FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445741Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:52.623{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F4F676AC66239BBE06361A29DEE49B7,SHA256=B7ACD4C7E855D06BB36A81BA01BF732E73C7BB0EAC010B48D97DC185E51E5D0C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540690Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:50.270{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-35102-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540689Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:52.508{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51F4C9CA81E8F60E74C1CAD4B2492737,SHA256=B3EC478B8BAF50C29C849252B8A0D1AE95270806AF2E701B6D0E258A4C113AD0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445740Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:50.298{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-31996-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001540688Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:52.039{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1331BCEE62BCC4131F05E549BECAC7A1,SHA256=1DA7DBEE9DC2E952E0B1AE121CEE7E9E10DD73D05CCBB6E1838010957CD631AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445745Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:53.920{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E26329E69B066963BDE3D7F8B6FC5220,SHA256=A96B9C72CCB2DC7FB9ABB71E76CE82ECE6031FB41A4B58261A0334083629E389,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445744Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:53.654{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=596DFBED193AA6653463241978470FFD,SHA256=79A06D8379DFB9CCDA9963F8DED0E5A3EC02A12E04BD99B3EB03C19560361818,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540693Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:51.350{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-41064-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540692Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:53.539{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9533CD392C42205DD2FB3DC9462F59B5,SHA256=8BE7A47625792F7F5700EFA65D9F54B23E7306284B5219F8B76BFD86433FD9ED,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445743Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:51.423{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-38873-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001540691Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:53.117{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9DC5BA2A7F95DBF814477E7910F80C5B,SHA256=B14E76A51D507F89932ABEB3CDB036302FD936B54AB091FE50EE74CE69AA6724,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445746Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:54.764{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51CD9F38C0AA1DB4251B8520799FF91D,SHA256=3530E691DBA610B8875E83CEF40B42C4D5244C0537668A8C0BB7E6B5DA231833,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540696Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:52.316{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65102-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001540695Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:54.539{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F4CDC5AA2D9C845B2CB7D24DC55126A,SHA256=9F79475E0C885B72FCEDD18A377B033F5F6836BF08744532898D0237169115DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540694Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:54.227{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AD4EA7AFDCBC9EF3630A86E7C69785E5,SHA256=F302B946D3EEA951A607186AAE0CD621CFF73BB0E0CCEC680D1401F97C6BA589,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540700Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:53.573{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-53071-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540699Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:52.439{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-46774-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540698Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:55.539{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D788E87C9AAE40B6BEF4554E2BD4C5C,SHA256=286F4643C87BFAAC1A63E11714574410CB00BFB2085582805D7CBF6DC813CBD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445751Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:55.810{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE054DE3974DDF5461CE58A11D2476A1,SHA256=B3511118F84651F1EDF350E35490D3948387D7DCDCA208A72BCC53790BB65417,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445750Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:53.746{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50750-false10.0.1.12-8000- 354300x80000000000000001445749Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:53.641{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-52727-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001445748Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:52.516{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-45566-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001445747Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:55.139{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AC0599D6D9DFE20FF17A7EE9A233421F,SHA256=EAA8652569F66D04AF707A18B810AAF2BCA2EF7AB7E6AA9BE4D781102C75F69C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540697Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:55.367{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3F295F54E62E29F3D84872F80ADCC9FE,SHA256=CDC3B017F1E44A27C52A67E4A5D53C11032BF7A8EE8A095171039C7BB39221C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445753Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:56.842{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACE3F852079EAACFE5EFD10CB5C18669,SHA256=9552226C2627D315D46C0A88FB93E02EB2C821E258E3D8A9286576303C3C7F14,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540705Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:54.707{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-3052-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540704Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:54.692{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-59109-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540703Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:54.660{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-2632-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540702Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:56.539{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD0C901760A2D66FC75FBE514E560EBD,SHA256=44CBF0379CAC2757E0B780FB9B5DF981F1145655F5D6CDAF131230AEDDFBF7B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540701Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:56.492{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AAA86A0F6468A49EF8C77D1EBD654486,SHA256=8AD163961D46AD0200BE13A6196386574DBE47BA5832041A67C95AA723E306CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445752Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:56.232{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=66161C096A886B6ACD5A7E225C703993,SHA256=9C9A76F593071D38AFD61098492381744778F08726C23C66BA498B2E5D21242F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445757Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:57.842{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=961B96893D84F40FDEFE4D0AC93978F5,SHA256=F2C67B0C69D223C70089F89560689D4CFF6D3DBB3608B4BD47B6BC4E3D370AC4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540718Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:55.821{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-10033-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540717Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:55.807{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-6301-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001540716Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:57.617{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2BFD-6154-0F03-00000000FE01}4224C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540715Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:57.617{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540714Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:57.617{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540713Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:57.617{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540712Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:57.617{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540711Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:57.617{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-2BFD-6154-0F03-00000000FE01}4224C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001540710Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:57.617{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2BFD-6154-0F03-00000000FE01}4224C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001540709Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:57.619{5EBD8912-2BFD-6154-0F03-00000000FE01}4224C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001540708Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:57.570{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1466A5845F03E93E975348FA331362F7,SHA256=B85E09731DF259F38AD31B337CEFB4352131ED177F3584FC14096CED348ABA21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540707Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:57.539{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9F557D3FB587884496202CB2EFDC860,SHA256=A93672FEC9F2A8B875F08733E39E1B744311CB90093C9A66E80AB168313C9B7D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445756Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:55.938{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-8212-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001445755Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:54.845{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-1289-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001445754Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:57.295{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2E9370E5B124FA94828A15A85AD983F0,SHA256=8D3B55A1555678292E0D1CEBE0B61A4A221289664B6BB7B317A41A8FD0288BE3,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001540706Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 09:03:57.445{5EBD8912-18AC-6154-1200-00000000FE01}452C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b510-0xef96c7b3) 354300x80000000000000001445760Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:57.017{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-14810-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001445759Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:58.842{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4639B957379DF73CF2E48210D83C1CE,SHA256=9EDD5F749EACBB29E8165FB3F4BECACB82C9F865D9DD844F3569F60D10661FD6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001540737Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:58.805{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2BFE-6154-1103-00000000FE01}5660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540736Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:58.805{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540735Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:58.805{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540734Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:58.805{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540733Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:58.805{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540732Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:58.805{5EBD8912-18A9-6154-0500-00000000FE01}4165172C:\Windows\system32\csrss.exe{5EBD8912-2BFE-6154-1103-00000000FE01}5660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001540731Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:58.805{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2BFE-6154-1103-00000000FE01}5660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001540730Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:58.806{5EBD8912-2BFE-6154-1103-00000000FE01}5660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001540729Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:58.648{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9BB4351661653AE0885D8E5FFDD4D0C0,SHA256=CD847D8108ADE9BC3448B722776D345DD4174BF4225D6935043D30A3A64734FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540728Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:58.555{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F3FD3B41097EDA8501E8A5EF609D3EF,SHA256=B6D9EB84D84AE1D924B9BED64CC635D1DE4BB9F75C8D3C922D12C268E2DBC99C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445758Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:58.389{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=919FC8B9AF6009719C13F0659ED61C0C,SHA256=2E027AB2F8647CCC3DA56CEBE0D81062712B3422C950DFFFCE35ACE55AD1B6AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001540727Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:58.539{5EBD8912-2BFE-6154-1003-00000000FE01}13005032C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540726Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:58.289{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2BFE-6154-1003-00000000FE01}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540725Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:58.289{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540724Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:58.289{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540723Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:58.289{5EBD8912-18A9-6154-0500-00000000FE01}4165172C:\Windows\system32\csrss.exe{5EBD8912-2BFE-6154-1003-00000000FE01}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001540722Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:58.289{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540721Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:58.289{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540720Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:58.289{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2BFE-6154-1003-00000000FE01}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001540719Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:58.290{5EBD8912-2BFE-6154-1003-00000000FE01}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001445762Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:59.920{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1808B9772F9792B9A620EF2F4EBAADA,SHA256=572890C7DD15351199C07BBFAB05FB7DE71B0EC18847988E89BCD63C0A5772DC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540744Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:58.038{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-23948-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540743Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:57.959{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-17810-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540742Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:57.455{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65103-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001540741Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:56.912{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-16777-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540740Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:56.881{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-12108-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540739Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:59.727{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A82244D98F07B3073F1EF3F25AE8A6BA,SHA256=70A23DADF8F59393E4E3DB3743035DC5F17C4A86FE0997597C01C7BB109A5417,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540738Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:59.555{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03494BBC09EC9342511D5F08D248BB76,SHA256=07BACB3B54A8897CBD023A42EC6A169BF3834B36308BA63A1EB8B34EFE2C07A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445761Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:59.514{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9C418499E0772DCDFD7D8DAE24C0EE2C,SHA256=987B8C60DFA32974F5E547435C00C8AE1D52F7E40B05BAE6A01402A80B86EA68,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445766Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:58.918{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50751-false10.0.1.12-8000- 354300x80000000000000001445765Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:58.109{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-21581-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001445764Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:00.936{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF772E9C082F98282422FBBB6A273DE3,SHA256=343135698F8719729FB005D4AC51DC1DBDFBF8F41E3CFDD99715651574809B5E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540747Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:59.038{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-23889-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540746Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:00.805{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=241DCB095B4A122B99396EE2785B3BCF,SHA256=56DD0622C9F49734400B100E22585EEB1939AFE02DA2B37748A922027574023F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540745Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:00.602{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8731F4A6B4F46606206B0CAB80ADB086,SHA256=E7AF1A1290A40E86465B3F2E9EE13101731E5BFF046E8929DE02D6510877E0F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445763Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:00.701{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CDA0885E3E4F26CF2CDE5A8D9C162C61,SHA256=E0E5D7CB7967FBB28D040BD5A4B4105D354998FB4A46556D51A9C374CEBBF360,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445768Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:01.967{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00EF5A4F84E107E4866E9FC852822DD9,SHA256=C472911895135558EC20F8BC521F6987541618C52A188574F76E7CEE7764FC05,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540760Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:59.315{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65104-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001540759Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:59.315{5EBD8912-18B9-6154-2700-00000000FE01}2944C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65104-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001540758Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:03:59.116{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-30562-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001540757Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:01.680{5EBD8912-2C01-6154-1203-00000000FE01}50722224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001540756Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:01.602{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FCC1A0C85CB00EB90969047617156C4,SHA256=1FBC56E1162FAAF4A77181121C0AADAC9A4F612B90BD2A62442CFC4D4C6184BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445767Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:01.826{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=405BFA993E2147EAADB48F0E49F7AB3A,SHA256=64BD44916FE693D0ECBB8A22B383083DDDDC4D3A768D2E08548F9FB0AA98D4C0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001540755Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:01.508{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2C01-6154-1203-00000000FE01}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540754Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:01.508{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540753Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:01.508{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540752Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:01.508{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540751Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:01.508{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540750Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:01.508{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-2C01-6154-1203-00000000FE01}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001540749Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:01.508{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2C01-6154-1203-00000000FE01}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001540748Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:01.508{5EBD8912-2C01-6154-1203-00000000FE01}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001540779Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:02.883{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2C02-6154-1403-00000000FE01}1656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540778Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:02.883{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540777Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:02.883{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540776Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:02.883{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540775Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:02.883{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540774Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:02.883{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-2C02-6154-1403-00000000FE01}1656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001540773Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:02.883{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2C02-6154-1403-00000000FE01}1656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001540772Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:02.884{5EBD8912-2C02-6154-1403-00000000FE01}1656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001540771Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:02.633{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=900F52D23C6576DA44BBEA8884AB48EE,SHA256=6CD027D971E81F293CB140144FBF6794DEDBCAF3485BAFF4B13B59C1D7961A15,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001540770Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:02.617{5EBD8912-2C02-6154-1303-00000000FE01}58165376C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001445771Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:02.904{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7F12FFCAAE9323649143CEA2FAB6FE83,SHA256=2CB97207408A0C7097138D763C9E4708B266D35026249FB9FF7336D4A95E7186,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445770Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:00.423{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-35784-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001445769Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:03:59.293{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-28714-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001540769Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:02.383{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2C02-6154-1303-00000000FE01}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540768Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:02.383{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540767Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:02.383{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540766Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:02.383{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540765Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:02.383{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540764Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:02.383{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-2C02-6154-1303-00000000FE01}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001540763Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:02.383{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2C02-6154-1303-00000000FE01}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001540762Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:02.384{5EBD8912-2C02-6154-1303-00000000FE01}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001540761Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:02.008{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=39C0BA36DED0A5D5EC63007BC2DC1A66,SHA256=54008A2FF6C98F623FB766A03EE8B98190F9665E0C7652BA203D88A53FD34891,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540784Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:03.648{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85667E9535E26A82BCC82722943E573D,SHA256=6FA442EA7030E11F4F0F6146E318F2F50515CC865343A72976004622E1354026,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445772Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:02.998{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30CD2C4A1C4BB701C96052E6661379C6,SHA256=AEB7B047C5F020EB65F6FC84C012AE8C74D01997A75D8F4077A456382D80F88D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001540783Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:03.086{5EBD8912-2C02-6154-1403-00000000FE01}16564300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001540782Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:03.086{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=36051BDA65CC0BA1133ADE3E4C7D3165,SHA256=5B3A933D9251C443F8FF96FAE938CB18357987EDCC7D743C38307CFDC193B5D6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540781Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:00.312{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-37760-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540780Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:00.242{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-30436-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540796Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:04.648{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9364FCCDCA8B23F4B66DE808BF536C20,SHA256=D9C37A716C037583C2CF4E7D2F266DFD59C79A58BD006BC43F51B633AB3B77AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001540795Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:04.648{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2C04-6154-1503-00000000FE01}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540794Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:04.648{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540793Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:04.648{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540792Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:04.648{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540791Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:04.648{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540790Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:04.648{5EBD8912-18A9-6154-0500-00000000FE01}4165172C:\Windows\system32\csrss.exe{5EBD8912-2C04-6154-1503-00000000FE01}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001540789Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:04.648{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2C04-6154-1503-00000000FE01}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001540788Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:04.649{5EBD8912-2C04-6154-1503-00000000FE01}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001445776Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:02.612{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-49392-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001445775Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:01.532{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-42729-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001445774Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:04.076{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4C85E2D6679228DA63D88CC978E3FF95,SHA256=9FA2FD44AFB14071AA2BE3509A9539D8D6D603CD0759CFA718FDDC87743F772F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445773Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:04.014{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76E60A6A960A0A30F90B0E9899427F3A,SHA256=1E893E6FD6C412C97C2CAFB032A32E6CCAF0648A62BACBE5E1F59E746041ED66,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540787Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:01.513{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-45065-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540786Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:01.319{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-35734-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540785Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:04.148{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E3E089A828799099B1A8908D1D100E8D,SHA256=D5881064F5CF61697626DBF06021028E87329BD0AE768B5377FE9C4CCC49A577,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540799Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:05.650{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB94D3457C59B7C1DD65593A00B5436E,SHA256=DF992057E4AC97A631D987A4E2AFA2DA530806C1A7B63186B3B6E4D22B710C61,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445779Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:03.782{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-56621-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001445778Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:05.154{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D77EFA1B74B736215907C2BD6E7EAEF0,SHA256=F56A6DD387FF9586E1DCF979C25D547D2F1A64ACEC0D702745DC844D1FDA80C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445777Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:05.014{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A1897773AB427F394BF271D6D9D1A3F,SHA256=9DE5E0B4E9A67DDACEEBC005496D51D0070192B6F1A586A4E9D16218F12DB69A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540798Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:05.398{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5BCA41882D5D2E92B573FBD38CF769EC,SHA256=0113610BBF4DE37DFCF7A1BE390402922A27E54EF70AF9CF7A89AE69A37C7D10,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540797Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:02.397{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-41989-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540805Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:06.650{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=727F60CFD4EF332E7C4FFACC7B613A48,SHA256=738DB5012193D58C068CCA3123AFD05B3F86D9B54BFBCCD32370211B94BC96E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445781Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:06.233{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DDC25EA839D2AC75392C7F969EBC6F21,SHA256=DD7C515DFB3C482592423B9021C5A411FBF160804E11FF2B165F21EE25F9AC37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445780Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:06.045{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=464804E657F0C607EC11BECE780D6A23,SHA256=56AD11C198BB0C859C0F4B1BD4987F96F23B9981516E48B5B815009C10363CCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540804Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:06.478{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FDB871E18258A308CFFF80D05F5F1D81,SHA256=CACF690A122239FD2FACB5D838FF87C1C405BA6C8C9A48684198465BA7CDFBC7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540803Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:03.694{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-58781-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540802Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:03.603{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-48447-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540801Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:03.471{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65105-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001540800Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:02.617{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-51864-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540808Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:07.650{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FD127F19BB0B1F1941FD46DCF651CE8,SHA256=19197D50C42E6F39F4228184229BF6CBC930DABC99F37F1459F0D39181E13258,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445783Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:07.311{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C4D4BF1D0C92060317CEAD1483C3CE06,SHA256=02C8F0803A97937A31A4D6E40ADEC7683C320898D23813A39D372A5C2E151A4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445782Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:07.076{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B7FD266C88A764433029BF15708089F,SHA256=D137E8084CE6251D61905E859B9A92C54A7649B8BEA39F7073A0E1D25D1C618A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540807Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:07.556{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6ED94581C949ACAE22394D71006E0241,SHA256=F83C8E73B84FB9C4DA2FF7102675A23A8C3671F13544ADAC6BC34DD110BCF8FC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540806Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:04.709{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-54478-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540813Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:08.743{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=72DAAB0F321542C0B1D820B7D9A75709,SHA256=7395FEEC38A4D283AB27F3217EA998B46765435A728C14DC21E97AA09DD27747,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540812Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:08.650{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFAB67985B94511B398A32C4D32A7ACE,SHA256=382C4484CDE222B4554160E3A56D23E2F411C9E53D1C5862188B13D6AD1B34EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445788Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:08.436{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A7E409FFF309A17F2215122A0F13AF1,SHA256=EC444BF1682C7DDECFEDED64A774AFA1B3C0D45E2835EB7745E82263638B87F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445787Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:08.092{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=134439E9CC6EE12FDCCCAFBFA17D782C,SHA256=CB486A333772DAFC1BFD1C6AA8FC07398F38BA7028F0BDD2511D8413F0ABAC06,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540811Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:05.915{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-13355-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540810Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:05.790{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-1516-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540809Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:04.789{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-6570-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001445786Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:05.938{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-10926-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001445785Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:04.860{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-4358-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001445784Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:04.855{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50752-false10.0.1.12-8000- 23542300x80000000000000001540817Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:09.821{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A3288855F91C0284E3A7A79EC894ABA0,SHA256=937FB904429281D6525899A96A5FCA382B8EDAAC41962326C665C5E08248AA49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540816Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:09.650{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C07329CDB31E0A4121DDD547E6434F0E,SHA256=20F4CFB8E9B177CBA90C488F36624ED333D5330C943130571CEA093B4563E3CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445791Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:09.514{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=044BAAF28446975F7E2790D8D49D7FF9,SHA256=0CBE74F218A9C9A9198B082531E24F36092FBCC86EB580F32371D53C0F3E1904,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445790Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:09.155{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F846C4AFC0E08456BAE9C1E81E1BEAC,SHA256=B74D5A01000763BC64A0CB69DEC9868C3E5543703B11808D24299DF38D0220A6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540815Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:06.993{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-20209-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540814Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:06.882{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-7487-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001445789Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:07.031{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-17740-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001540821Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:10.900{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5853E6A6883D652FDC7515F865027118,SHA256=F1DF4F1B270462AC3E029D5FEB962D929F3FC53E0DBCA6CA1394159A53699DEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540820Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:10.743{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2066ADEAE441A85B37A91A28E84A441D,SHA256=C9038A78E92865606166337C07B49DF75EF1DD6F18DA526F73D27800DA12ECE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445793Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:10.592{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8C0B8F553413A46F9C4C83D81D185B2A,SHA256=3A2F9F5AB010658B1505F29412806FA1A7749289F082DCD817CC052D0A9217B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445792Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:10.170{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CC6A6FB67ADC69BE788B52C8F5BA6C7,SHA256=FBC941B38B24EFA0FF2ED79A97FF27A6445B1C81280E4624666D4FE0AE03799B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540819Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:08.085{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-26492-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540818Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:08.054{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-13844-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540824Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:11.743{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10E99480AF25C714544860DD1935C5CE,SHA256=BB0ECB5CBD657BB22DDE5412C7C05B3E3B1D3B8BE38B1790B08A61B5F3BBB9E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445797Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:11.717{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=64F56299E4EAA4EBC24BA74876B9464E,SHA256=54FC3672DCEF8911CCAE92B0297A87235F182C25636B06CD2A46C679948D693A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445796Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:11.186{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFA51F51CBF68EC14223353D9B68B89D,SHA256=62B7443D6102B17B32F017155031372A1EE826FABF6CC822CEA4C3FCF5B1A70D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540823Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:09.227{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-33571-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540822Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:09.135{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-19222-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001445795Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:09.220{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-30938-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001445794Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:08.142{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-24708-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001540828Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:12.806{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9003D6F58B45A68CA79136F291CB2482,SHA256=1CED85E7D270E6B4F17E1A6A1FA4DE9769EBF0B5034BB441753FB5CC10E93493,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445800Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:12.842{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=85C702C355C1FA70E4606803B483EB5A,SHA256=B439CC3286B1800D61EC2B239B833D69EA4950F827F765EB6897B31E3B876B0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445799Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:12.217{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A34D244EC6A4EF59F19A308350DFC2CE,SHA256=21952DE29A67986CDFDD14E0BE4D72A532986A1966AE231285642E33CE70DA24,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445798Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:10.314{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-37583-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001540827Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:10.214{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-25479-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540826Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:09.441{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65106-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001540825Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:12.009{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=725E18B6577295F0C814C69CBB8E00D4,SHA256=A707DB2494A28D4D41D15176AC94821C6BB641887CD8B65D46C0575242B6B808,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540833Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:13.806{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11BFE74ED3D5A76624136493BCFFE5B7,SHA256=5AD0AF2D954B3E5B087F93A96096924EBE63B84A0F0926FC5240FD709B1D0066,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445802Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:13.264{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AFE5A81DF07F962BF742162A3251C22,SHA256=523AB6749CC88E9E89B5A4A071876EA5CD711FC46D1A4D796BEA57037C34D37C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540832Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:11.399{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-46988-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540831Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:11.359{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-31538-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540830Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:10.305{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-40275-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540829Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:13.196{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2EB7F4D3417A95728BEE5E96103CEEA8,SHA256=FEC4726E2FFEC5CF5ECBE484767EEC8559B45A321C22A856A0D84458CD511564,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445801Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:10.855{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50753-false10.0.1.12-8000- 23542300x80000000000000001540837Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:14.806{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C980B45E82AF66177E586105227569A9,SHA256=3AEBF9AAAA1EDA932F69802BFD28E4386EE69EE9DBCA5774D80D621E2DC81FAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445806Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:14.874{69CF5F33-1899-6154-1300-00000000FE01}296NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=93F8F98EF3004A3B83EEAE32A46E77C5,SHA256=D49C65701778FEBFFDC43A48EB919C10DB581020247D94578AEB9143BB587768,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445805Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:14.295{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CFC959D8427087FBC906C11F2321CB8,SHA256=04A4158F46CF60B33D8B89C805959DACCDB0E991E63AC5AC0C4D33E4CB31C49B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445804Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:11.438{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-44492-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001540836Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:12.554{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-38158-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540835Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:12.524{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-53840-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540834Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:14.322{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7C35801CA301CEDCD4452F5FE9C3F3EB,SHA256=91A1CA14C8DFFBCF08A49FD41DE928C8DD0144536D96C9601068AEFC1FE50BE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445803Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:14.014{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=84D80726C18196D8F69FF267604A8D42,SHA256=795C1EB59CC389ABEA3F5941EEF06144D2F464AC1EDD1295E0C25240A255D7EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540840Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:15.806{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ADEAC4109DAC04F2EA975E54391F107,SHA256=5846526F96464F3F91949391EEB1613DB18F3F6112A8061BAA02B8D03695E609,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445810Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:13.720{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-58590-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001445809Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:12.565{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-51406-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001445808Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:15.311{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C66F55C4D13D2B064602DA66E368885,SHA256=F85B12F8FE41988BD638DD1FD5E228C811228CE3C61D744C8FC8D38E099A1740,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540839Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:13.633{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-1606-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540838Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:15.400{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AB92B8FE6A5C64D6DDD8589F48587D55,SHA256=B793EEDBE089DCF226205FBDD62E8993621D667FD0BE24DB1DB9272EFE6B81AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445807Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:15.092{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=97D43B83A7A1AC2B7E6F56693747F534,SHA256=AD75FD1D03575B50EDCE4E80431F681C28FE95DFC4DFB9E90ACEB4145B8CBDC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540844Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:16.806{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=802BC9E4907536F43C0AEFAF62F2DC17,SHA256=72BCCE197F83D425F1704603B7E4F4AE54DA5C751E20C5D4ABD5ADB46CB004BB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540843Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:14.519{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65107-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001540842Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:13.710{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-44696-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001445813Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:16.327{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4682FFE07CF67785818D6C659E27AC0,SHA256=D1D33DAB10F871CA61F2593E92A53B5BB40421157300E510E3E5F90DA73F5E55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540841Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:16.525{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C96A549E16BB70BC34C933D678E1CBDD,SHA256=2163CF005997FA3383A3E2729AC51D659133044E846AA95C9B7A1E1C8D71E2F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445812Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:16.202{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=09CC37649AF57CB40977D0FF637D33DF,SHA256=0FB9155D77325590E6878AC8EE80BE0296D82323A20C31BE1D2F1B0ADC080A40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445811Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:16.139{69CF5F33-189A-6154-1C00-00000000FE01}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540849Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:17.837{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AA4D7206B4B149361CB3F65195E87AA,SHA256=0DB6B77150FDB4C6D07FBC20E70A4C8E3FECB5D2C7B0A11990E50B2FBB1C8CF6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540848Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:15.837{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-15385-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540847Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:14.837{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-51069-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540846Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:14.724{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-8507-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001445817Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:15.808{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50754-false10.0.1.12-8089- 354300x80000000000000001445816Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:14.803{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-6241-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001445815Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:17.342{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4C264687CA6F04A57F21DE336103B82,SHA256=4C53E03E8B7E42E143F1B8BF1DE43A9DAF505CB6D16D55289AAF9F2D415FE4BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540845Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:17.603{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=803398B082314A488E96A7DE0760970C,SHA256=3E706BEC7C8C28D01EB07AD2A5964C8017AB2DDD3DF5A498AF0AC66034B33C91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445814Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:17.264{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1FAFA151ACB87A405085831A251D957C,SHA256=505EA91270B5D959806CBADD0DD151CBC7854703B6CC369BFDB1C6D2DCF462CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540852Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:18.899{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26C4F6994F820D1203A95772DC12B995,SHA256=913BF6A217D8D03E8173240C3E6DCFE17CFB2C14A8CBB5224A1B09860B1796C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445821Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:16.830{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50755-false10.0.1.12-8000- 354300x80000000000000001445820Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:15.907{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-13086-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001445819Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:18.405{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3E954C0DB460912EBF7EA5B3987D8BF3,SHA256=1309F525A233A4C1ECD3FA2C93A89E3EF6977056FF5DDAAACB2F800910321D75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445818Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:18.374{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2A177D637567CA71FABA9C85AED03ED,SHA256=5FFF2C05496E521D135AC88846A9A89CE6C345E978B3C262F8A12B494BD6FBBF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540851Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:16.024{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-57475-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540850Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:18.743{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31FD1C0402D620FF3D760185130B5FDB,SHA256=D59F635A0A6933C8437B06384CA0ECB254D34E09F84C58731223868A852BD9DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540856Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:19.899{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=040371A68916FE4385272B6125FCE37F,SHA256=2AF1D009AE23A9D4289CEBE5521D7E97E6C268BB89B2254C957BEF1E6DF72343,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540855Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:19.899{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E61FE5E2BC70D6427CDF9A2244C127A,SHA256=4278D9E9A05D175549189013B0A00B8FC284FD678DE96E522CBFA6270D7CF9AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445824Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:19.483{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9FB47C9E58C0DA7B6DC6362E9EFA20FE,SHA256=42213B2FFC3A92644EA4E49026CC5B9B39F3F9196992E785B322551E26DFAB8C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445823Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:17.000{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-19792-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001445822Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:19.405{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE2FFCB6DA4D9E0C7C9304AB77031D49,SHA256=F8AD7B16F0C15FBAE0E2A8F516067169292F1C6487A468A1589351778155365D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540854Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:17.117{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-4654-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540853Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:16.932{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-22050-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540860Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:20.993{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5493F1C8E760FDDD4087DC76AFBE980E,SHA256=0D939DAD3DA5D9BD20A0FCA51B7FF4EEDF9062973458A39FAD6E5680EE13EE4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540859Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:20.900{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7E966F5BFE05D98E5DD798B1A01CA2E,SHA256=2249817DBF22923249F00A7F8809A44E2B966A17B7FF8BB6ABC231B332C390D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445828Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:20.578{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F67781E270BA6022A2B74BC175FA7C2A,SHA256=65A135AAC1C12A040AF95CFEF9D17BB9244338170E50E2D20C6C6D6D5D65BA11,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445827Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:18.111{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-26751-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001445826Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:20.437{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A742BFC55431B13CE16716855ED76DD1,SHA256=424C386760BE7BB9973097D4CA412CF6EB20413B5273F078EFFB70A0419DF0D1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540858Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:18.330{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-11188-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540857Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:18.088{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-29023-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001445825Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:20.065{69CF5F33-189A-6154-1B00-00000000FE01}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210929074117-080MD5=0702FCA431B00B594F1E453E1BACB4E7,SHA256=E8701800C5303E9A26BD1B4295F1925FD873002633D318A1D6DD61AA6CF56A5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540863Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:21.931{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81EEBFF79F676994DF0BE1DE7F17D26B,SHA256=224685913968E142C124770DE8F9741FC51C235963CDBDB18B1F1A3BC2201119,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445832Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:21.641{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F9262806F1E298C37C355DB30A02A9E7,SHA256=BB35E4FF91FEA43ADAB352E3845B423640C411C57DFCC923A38A3C0ABD4CF3CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445831Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:21.467{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45EABFF3CC29A9D840FC3995F3BA1761,SHA256=2845B662FCAD6BC6D5CAE1BA0CA29C612234533D08C2E9A003221D60F220785F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540862Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:19.415{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-17235-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540861Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:19.228{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-36102-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001445830Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:19.195{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-33053-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001445829Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:21.079{69CF5F33-189A-6154-1B00-00000000FE01}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210929074115-081MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540867Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:22.931{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42C0474EB62405209AF6F109B4329CE1,SHA256=3E447C0735F77FA8DD634BB1C5C529C1E24E33D9503EF08932FA64C9EB5691FE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445834Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:20.285{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-39703-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001445833Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:22.516{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E20DC807E066E21EB01AE966E2DAF82F,SHA256=D965F2856CD64879EC3CEC6E08FB2EC21D0D815866A5417278AD376C833D646B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540866Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:20.317{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-42401-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540865Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:19.535{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65108-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001540864Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:22.118{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3406C95F312147A62456A5018E1D20AC,SHA256=0913DC771FB991309F19B89E596341C8C41ECCA929058439230A3315F1AE362E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445835Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:23.532{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F08F29F3AE58389EF111CBF381E42F5,SHA256=14D81C8377167272354160092783CF8F6EB7BAAD2A7820480971DAE087C54E8A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540870Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:21.445{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-49119-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540869Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:20.504{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-23073-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540868Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:23.243{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B126FC10188F263BF503A48A91CF3FE6,SHA256=EC900EF64D2B4A9F07727A364FC306DA8F3333EC044E638AB13AEED39D15DAA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445837Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:24.610{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FA94D560527C0C88D22D503DE729302,SHA256=0525DE02DA46B76E59F2AFD4B54B2B89B86D939F63EC9E60C17F11AF67E11EC1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540873Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:21.635{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-29498-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540872Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:24.337{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4BD29F0C90314DD6500D52C9D7434274,SHA256=C450B7996BB291CA30E873C786C1567196FE10D6537EDB1C374C53D427AFF8AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540871Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:24.071{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F53584F7ACCB0472857EAEE841AE0D88,SHA256=B0929AEC5E08D07F8867773C94C02DC6A65A9602D895669A8AD949DAB87305FC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445836Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:21.935{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50756-false10.0.1.12-8000- 23542300x80000000000000001445838Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:25.610{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9388535C8EF731E3D77C00684ADDCC9D,SHA256=EEF3CFDE3896275A905AF99A25712B1AE493BB1C8B5386D3F3215EF0ED1F0B65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540875Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:25.415{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0653EC7B1BE7FEC812735470D19C018F,SHA256=724B70AF5C76EA4E7E937EE787A82843640FF3528C334B29CCD7584B32F5AEDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540874Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:25.196{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0CF9C95E6F91371F715226498E71743,SHA256=96E362B333F2B2B655D3563D825BBAABAA9110A32D7A4FC408979EA051766918,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445839Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:26.626{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16B75AD3099649E0C9F70FE3A92A38C6,SHA256=C5A4AAE4F0534E6A3D530356C42E7D2B08B73951D1857D7AAB5F5B07E7449C8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540879Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:26.508{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7084BC7FDC0868D6CEC2231E01EE7CD2,SHA256=76A689A671A17503265CAC2FBBAABAA8B5F00DB3297C8F3F295C2E8D6E27373E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540878Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:22.758{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-35065-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540877Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:22.556{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-56032-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540876Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:26.212{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2121F343D5739604FBBF02CE2BD72AE,SHA256=A737132EB3F86AAEA1EAB29F81CAA993957EEA0DA0DA219532CE4651A6D9040D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445853Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:27.813{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C6B3AAD3A0134A760CB0AE5383EC1F5,SHA256=1968F6A6F90CF74EF2CED8AF25C5689CA5ED92772E73ABBD08035E84AF626BA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540883Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:27.618{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FE51A9E2535C3BE2B5143C584FEA4926,SHA256=755739C2675ADA79981D03F4B30E616DFAC99B3520E4154F3827FAD220EB87D7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540882Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:23.868{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-41415-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540881Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:23.650{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-3692-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540880Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:27.227{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BF0908EA307B6D96A7FE66B3B1905B6,SHA256=710FFF7426EFAAF2F79398D05319A73C6BC9A784D03432FB779A5A11C38604D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001445852Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:27.516{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2C1B-6154-DC02-00000000FE01}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445851Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:27.516{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445850Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:27.516{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445849Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:27.516{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445848Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:27.516{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445847Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:27.516{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445846Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:27.516{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445845Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:27.516{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445844Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:27.516{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445843Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:27.516{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445842Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:27.516{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-2C1B-6154-DC02-00000000FE01}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001445841Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:27.516{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2C1B-6154-DC02-00000000FE01}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001445840Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:27.517{69CF5F33-2C1B-6154-DC02-00000000FE01}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001445870Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:28.829{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81FEA810BE40720763074F4D11BD00EB,SHA256=3689B15C8ACB8C5562D50A9303990735886D00FEB0A9D54DC2FC4C35107DA1C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540889Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:28.696{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DC4421DE857A9FC431754B86472063D3,SHA256=8F8C07F74C0299AA6D4E5EC199BE36DD5FD63F7F418FB7AE9A1191998F5251B2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540888Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:25.843{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-16672-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540887Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:25.550{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65109-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001540886Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:24.961{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-47292-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540885Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:24.741{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-10310-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540884Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:28.243{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9653252C9833CEEEAD6917E671308A65,SHA256=9EF5A4D22E83FCABF1229FEB2BD66DB1FAA75447284D69FC682C207C7D4A2E81,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001445869Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:28.782{69CF5F33-2C1C-6154-DD02-00000000FE01}36403028C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001445868Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:28.532{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A80CA89BE8C0BB9995709D5EE2797F37,SHA256=17FD3A50F6D9EFFE04A206E15D6A7EDF6E9EE2BFFE5E2A5887D5986C0890B4DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445867Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:28.532{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=59D23222094FDB80EE7319E60A6F8E03,SHA256=C8B77117A4926DA808DEEF2ED89637829D6E344AF3C3DB68B382B463824AC352,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001445866Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:28.501{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2C1C-6154-DD02-00000000FE01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445865Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:28.501{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445864Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:28.501{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445863Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:28.501{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445862Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:28.501{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445861Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:28.501{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445860Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:28.501{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445859Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:28.501{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445858Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:28.501{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445857Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:28.501{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445856Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:28.501{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-2C1C-6154-DD02-00000000FE01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001445855Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:28.501{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2C1C-6154-DD02-00000000FE01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001445854Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:28.501{69CF5F33-2C1C-6154-DD02-00000000FE01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001445885Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:29.860{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05DF28AD754AFFC636C1C9A47B36E855,SHA256=F513EC35B153B6D08B5B6FFFF69C97FD7D30EB83EE37909358DD4F73657992FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540893Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:29.790{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A14BDF6AE145B552939B3D6B22A727ED,SHA256=C3D3B7857F98A50B5899A53B7F55FCA31C4B1A6F736D39FFEE9B42E0C16DE92C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540892Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:29.258{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E63C4AEEC0841A7D6073CBF6FD64A0A7,SHA256=AC8A700355669DF414E12C967C5AFF1CEF06983E150490A005662024D6B7BF25,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001445884Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:29.688{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2C1D-6154-DE02-00000000FE01}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445883Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:29.688{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445882Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:29.688{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445881Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:29.688{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445880Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:29.688{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445879Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:29.688{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445878Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:29.688{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445877Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:29.688{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445876Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:29.688{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445875Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:29.688{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445874Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:29.688{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-2C1D-6154-DE02-00000000FE01}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001445873Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:29.688{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2C1D-6154-DE02-00000000FE01}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001445872Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:29.689{69CF5F33-2C1D-6154-DE02-00000000FE01}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001445871Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:27.919{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50757-false10.0.1.12-8000- 354300x80000000000000001540891Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:26.930{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-23418-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540890Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:26.128{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-53585-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001445887Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:30.891{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7FD39A6D04AEC011A694C191C84D3BA,SHA256=C814752C7DEF70CED6429B8E4FD2551F280779AE1379483C2233E9C24DA46945,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540897Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:30.868{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=08DEE3F2F8DA0068ABB52225DB8D1ECB,SHA256=144AC5E22551C9810F056E21D3C3F826F1003D568808341EBB6EE5FBEA7CBD09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540896Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:30.258{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC0830DA9FA6D32D742D55E3CA8CEE81,SHA256=F84EEBFDB954204696923C89DC0AB4E49FE8361B6F9CE183A1F2BBD1DC5B9942,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445886Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:30.735{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A80CA89BE8C0BB9995709D5EE2797F37,SHA256=17FD3A50F6D9EFFE04A206E15D6A7EDF6E9EE2BFFE5E2A5887D5986C0890B4DD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540895Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:28.018{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-29949-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540894Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:27.269{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-59700-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001445888Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:31.891{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FBC9B58C620488D277556C1439B26F1,SHA256=F15D4932635C90FE8DF0BE7EA10CC4B392C886E09F1FAD9306ADA34128F0260D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540900Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:31.274{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22D6F79A5D221D3C6CEA50671B0787A1,SHA256=AC1E19880E79CB9186E7F582CE4A97344615E3292F88D693797F3A693612A66F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540899Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:29.102{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-36514-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540898Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:28.391{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-7269-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001445889Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:32.907{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEB34061B633B7EFE234B859C135DAE6,SHA256=59BEABD6967B2F2C5F7B6A22D3720F10703A663628E12B32521EE80BFF25F1CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540904Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:32.368{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C98FC401C6FD1233B1F33BD45B59ADD,SHA256=AB8DE13709658B4039C8E64383EEB04AA77C29C30797C969F80F527D11872BB3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540903Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:30.239{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-43441-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540902Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:29.602{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-13995-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540901Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:32.008{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B61CEF69BF9591407A643582630DC389,SHA256=982BE98729EBF039C460A5F2C10925B2F38A15C1EC0965C34760638001D15D29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445890Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:33.938{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9CA6EF142CE398A547825D674BA3417,SHA256=F40D6802313F9058B9C391B00F4B8E96712C98C2D819CC2015A013CB927477A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540909Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:33.805{5EBD8912-18AC-6154-1100-00000000FE01}444NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=0585758676D713B8298BC5A11112F2A5,SHA256=ACC6D59853775492B75F75D40865640A6252CDB7067C8110DA72AF05D2EC49E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540908Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:33.368{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3E5B957B6BE5A0C5880469A726A08BA,SHA256=7D079D3FE9D80D50B76D026007B314830960026274A9E68B227700A50C2C9443,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540907Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:31.320{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-49937-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540906Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:30.733{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-20046-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540905Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:33.087{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AC84204BBEFB6982CF7C222BF73ACBDE,SHA256=405017E44B6B66BEAD91C76964E4BB6EE08EACDB89FD487AADB28D556A8D51A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445891Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:34.954{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6CEFCE6688377338408938E6A02ADFC,SHA256=FDD58EF6572829185192364426F9FA7B5BBCCFF03D3B1C44F741381A3A570EE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540912Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:34.399{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=562E4D3A05702972C51644FCC0A88455,SHA256=615AC240A4FF82FD326F2141B4F5128EB7367CEC1A0BA7166AB5DC20D6BA0A32,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540911Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:32.147{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-27285-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540910Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:31.379{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65110-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001540946Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:33.386{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-34419-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540945Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:33.352{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-34290-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540944Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:33.330{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-34167-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540943Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:33.308{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-33974-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540942Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:33.272{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-33792-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540941Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:33.215{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-2499-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540940Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:33.193{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-2354-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540939Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:33.171{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-2237-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540938Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:33.148{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-1953-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540937Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:33.107{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-1675-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540936Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:33.052{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-1444-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540935Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:33.016{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-1253-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540934Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:32.980{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-1112-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540933Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:32.957{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-59866-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540932Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:32.924{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-59622-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540931Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:32.888{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-59418-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540930Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:32.850{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-59272-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540929Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:32.828{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-59123-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540928Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:32.805{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-58807-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540927Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:32.753{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-58654-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540926Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:32.730{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-58520-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540925Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:32.708{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-58387-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540924Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:32.687{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-58254-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540923Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:32.665{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-58010-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540922Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:32.631{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-57855-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540921Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:32.610{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-57619-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540920Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:32.572{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-57351-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540919Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:32.535{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-57228-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540918Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:32.514{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-57103-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540917Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:32.492{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-56933-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540916Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:32.470{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-56686-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540915Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:32.433{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-56442-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540914Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:32.399{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-56282-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540913Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:35.415{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6018D1F7C2B184D6ADCB5E63EBB1BE96,SHA256=CFF36C98D1541825AE6DAA79D01AF39B6D12219B8B5DF118DD3E71D4043FDBC3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445892Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:33.794{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50758-false10.0.1.12-8000- 23542300x80000000000000001540951Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:36.930{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45052E4CC74B7FBC0465DF186F9B4D86,SHA256=9402436BE2CE2BF5507FF5798610FECF8938C0CA034C40C9B32E3F1FF3C0C5E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540950Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:33.498{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-35092-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540949Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:33.464{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-34856-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540948Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:33.429{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-34720-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540947Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:33.407{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-34589-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001445893Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:36.032{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94E513842C6D758FC1355A9C6AC8D902,SHA256=5C56270106BD38821BFCD9A5E9B725D3AF5CFBE3597C1E1AD1F56B53422E3879,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540952Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:37.524{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEDDF5BA2C05820D9A18E26B57AB578A,SHA256=DEA2D1A7194635C87D1B746813C2BD87308C4B34164EEFB92324731423CD5044,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445894Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:37.079{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=164279C79B09EBCC4A1B71B8BE1EA949,SHA256=CA1BB16F05AE890A27AD9B0DBBDACC5563B995E50D150A020AE78A419F925798,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540953Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:38.524{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=092855AAFB45CCD01D323A2A6E7994A2,SHA256=F986B15D0C96DB59615E8286F879A17A8A147C844D8FD47160B4D273AEF201FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445895Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:38.095{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F21BA877A5BCEAC71D645BE7184DAF23,SHA256=124893011E84A5EE914AE06ED053CC960C06149295D02FF24621A7E0D56C8DC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540955Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:39.555{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC26411C7C5E7DBEC9407B36E01DCDD8,SHA256=F35BE5BEE4C3CC53081218746EB0C103D6A74B69BE731EAE4830AB3788ADCBA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445896Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:39.095{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8BD9927D33BFBDE096339601EAC62BF,SHA256=685A9448893324C37B23C54659B1970EE99A29A70D17A6C2EA5C36C88C397394,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540954Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:36.535{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65111-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001540958Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:40.587{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0967D67D2C2541EC379171B88D5D15D6,SHA256=30AE1ECED233976AF326D33C0B0A994DE02A1AE58F94E3D7EEB92489F1273A6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445897Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:40.110{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A946B05F228EA948432CF47A6C997A54,SHA256=B2AC2546581307D6C994C1D2CC0F6A7B4E8B44DFA8253FD51393C27BE9645BAD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540957Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:37.935{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-7546-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001540956Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:37.850{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-6271-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001540959Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:41.727{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C8BA4E3AF9BEBCF64C9653F0A7193E2,SHA256=9DEEC113F5142CB0E4443F36B81634C0CEC4B9D09BEA327C7DBF41CBE54D0B03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445900Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:41.236{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3682EE4361ED3E129520ED015FBF2730,SHA256=3CEEC5014AD8AFC167ED79786EF2F83BEC71479E9D4F9259C6AAB87DB28352BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445899Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:41.236{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C6F644F45A8BD84C5BD74188041DEB0F,SHA256=8A5CD63FCFFC2BF544243E67CFED0BEFC2280E672A09EDDBC23ECCBE6D1837C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445898Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:41.126{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33FAB6499B425AB370AD159199D3C9D4,SHA256=D91F14EB8923D12ACF38F348263FC54A77B50A6A23776D1748D6099B19A8D1BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540961Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:42.727{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64B7D691B0C0F24DD66CE693E0BD0627,SHA256=51DEE8DABFC37E4D32142FF3FEB14BD05256EEE3407FFC94E4F8E60B26CB052B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001445918Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:42.892{69CF5F33-2C2A-6154-DF02-00000000FE01}40042356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445917Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:42.736{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2C2A-6154-DF02-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445916Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:42.736{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445915Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:42.736{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445914Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:42.736{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445913Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:42.736{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445912Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:42.736{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445911Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:42.736{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445910Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:42.736{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445909Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:42.736{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445908Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:42.736{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445907Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:42.736{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-2C2A-6154-DF02-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001445906Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:42.736{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2C2A-6154-DF02-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001445905Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:42.736{69CF5F33-2C2A-6154-DF02-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001445904Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:42.392{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3682EE4361ED3E129520ED015FBF2730,SHA256=3CEEC5014AD8AFC167ED79786EF2F83BEC71479E9D4F9259C6AAB87DB28352BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445903Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:42.142{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43BF3C6C188F38B7AD6DB6E6A83DCC15,SHA256=ACA9C3CE1A052E86778D2E3199D4F83808898970AA228B6C4C5CF8338CE2234B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540960Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:39.474{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-54250760-false10.0.1.14win-dc-429.attackrange.local49672- 354300x80000000000000001445902Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:39.832{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-8749-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001445901Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:39.825{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50759-false10.0.1.12-8000- 23542300x80000000000000001540962Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:43.743{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FA7A2ABFE9F0E04F9A1B399810E469F,SHA256=5D3BD3A9D03DB83DF519D2A84A805A43D649A3CBC75E08F3B6F9536075A796B0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001445937Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:43.595{69CF5F33-2C2B-6154-E002-00000000FE01}40883444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001445936Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:43.517{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=25F8083240EE959D30C1F24843A710DA,SHA256=A8F2C9CB23675224D89B81EB346C396CC777CD95B957881F9FBDF56325DAE9E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001445935Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:43.407{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2C2B-6154-E002-00000000FE01}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445934Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:43.407{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445933Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:43.407{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445932Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:43.407{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445931Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:43.407{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445930Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:43.407{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445929Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:43.407{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445928Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:43.407{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445927Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:43.407{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445926Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:43.407{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445925Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:43.407{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-2C2B-6154-E002-00000000FE01}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001445924Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:43.407{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2C2B-6154-E002-00000000FE01}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001445923Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:43.408{69CF5F33-2C2B-6154-E002-00000000FE01}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001445922Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:43.173{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=990D8D70D2102291F637D9CCCDEF4694,SHA256=E9B79887F36F41B6FAAF36A9D60B623B4881526FC1B04DC6D55E4ED0E77A33B2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445921Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:40.943{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-14928-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001445920Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:39.912{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50760-false10.0.1.14-49672- 354300x80000000000000001445919Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:39.856{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-8876-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001540963Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:44.774{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BDAB02120C36A7331A08D9D4149C05D,SHA256=9051A8647F02C0E6604D77A965F4FD32E1A010248CEC6710E26029078C33E753,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001445967Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:44.689{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2C2C-6154-E202-00000000FE01}2952C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445966Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:44.689{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445965Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:44.689{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445964Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:44.689{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445963Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:44.689{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445962Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:44.689{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445961Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:44.689{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445960Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:44.689{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001445959Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:44.689{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D66A6B638B2EC4F1789AB034B73670D,SHA256=C54F1511661DD35FCA798D22C269B10F1AEC3AF2CB4F30113FE42734200EB7F4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001445958Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:44.689{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445957Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:44.689{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445956Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:44.689{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-2C2C-6154-E202-00000000FE01}2952C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001445955Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:44.689{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2C2C-6154-E202-00000000FE01}2952C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001445954Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:44.691{69CF5F33-2C2C-6154-E202-00000000FE01}2952C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001445953Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:44.689{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8D485F200D8F7E4B227566CDBBEEB7D7,SHA256=0E5632F85923E2C9A0FA5A2D560D20A81F4529BC4AD0F9425CBBE8E2B6D6D831,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001445952Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:44.251{69CF5F33-2C2C-6154-E102-00000000FE01}32803700C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001445951Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:42.110{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-21226-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001445950Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:44.079{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2C2C-6154-E102-00000000FE01}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445949Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:44.079{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445948Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:44.079{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445947Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:44.079{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445946Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:44.079{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445945Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:44.079{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445944Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:44.079{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445943Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:44.079{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445942Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:44.079{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445941Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:44.079{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445940Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:44.079{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-2C2C-6154-E102-00000000FE01}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001445939Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:44.079{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2C2C-6154-E102-00000000FE01}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001445938Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:44.080{69CF5F33-2C2C-6154-E102-00000000FE01}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001540965Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:45.788{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE2FAD08E7DA66CBEBC113770950E86E,SHA256=AC77C008D150AF47659FD46224A568540B855D2F261C76B80DBBC3BCF927DEC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445970Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:45.673{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=41A32909C5CA1FD1B36F38CA8719ABFD,SHA256=57C0BD581ABE3FE56D9B0993A0B4159715F3429E4CD64D5477A14F1ACE3E2AF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445969Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:45.361{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EF61BEE7A417C3323606DCEEC3E3B87,SHA256=6B249134CDB6F8DC93C44C50E51323B5F45B746BE98A5BE5AB1B89ECFCC46488,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540964Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:42.535{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65112-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001445968Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:43.220{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-27002-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001540967Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:46.788{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C442ACD6BD3CDA7DD9F3E3166BADF377,SHA256=85F7CB5105BD7EA1E674456E8FFF03E383BC2802BE68591AF3F58355A84749AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445973Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:46.876{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FA6759AFAD0FF2819224EA4CA43808C2,SHA256=493DD9C38A4CED3ECBA50C066C4B17A1147A0162F0141281F708C95C21C03319,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445972Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:46.376{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37E917F5C3811AD5E813E53F27CA1A64,SHA256=059DF776D179594C9F6376EEB9A039DCD0ADFC9E1D3DE5D0C84586B95AD89355,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540966Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:46.038{5EBD8912-18B9-6154-2900-00000000FE01}2960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445971Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:44.299{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-33030-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001540969Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:47.819{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=925A7B1C4444044F113FF33924556D20,SHA256=A2F02761DFEBCD8CC0C4FB09CBF3159C53CA8197F2E4EEBA73B23A5C82181626,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445976Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:47.393{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D861C247AABB7808DB58D62821576884,SHA256=302533FB10765515B3897278E9A5C9DB350B72B12B7B2E86798C6F7A2D76ACFB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001540968Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:45.315{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65113-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x80000000000000001445975Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:45.778{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50761-false10.0.1.12-8000- 354300x80000000000000001445974Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:45.426{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-38943-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001540970Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:48.834{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=624A84731CA290C2C7CF6AC969AD97B8,SHA256=5E884CA87344FFD6763E37B7B4B8109A97023901B0AC4A6E83AF9617506E3FC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445979Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:48.470{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8501887335F12F4A3FC7FA3E194ABEC,SHA256=6A44234943C1BB3FF4C223D95A76F736A97A72F3FD54D44F700353635DF0D300,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445978Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:46.592{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-45350-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001445977Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:48.001{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3DEDA104EED904811ED38AEBEDDD2AF5,SHA256=DEEF8CD3FD561D029FD0616545C2E9305DEF24FD7F34FDD6F8E7489FDD52E3DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540971Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:49.850{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F59CE4C122BA4DDE017C81D011D05589,SHA256=4596E044280F15675A3F910800B333137BBA86B63DC3A1EC5DBA99BE17AB3296,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445981Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:49.470{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F4DCE7289229B878407B015F31A2CE2,SHA256=474452E6E97D2293E9B61D4297FF30340DBAE4D67D68D91F55D803D4FE99A9B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445980Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:49.080{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BFC0B36E39BFAE6ECF692B3D0F3E1363,SHA256=7D0BBC553B89D77F5B3C05D5047E1913A5D9CA3392AE58E1A7C1F0E94FD270B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540973Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:50.851{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=333C51148DF8DDBC0DCE55E65B73EE4A,SHA256=F5E28A14A6C8990F4A736C2F1792A153B714D0C8EEBD9FF918EA8FE8F9808002,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445984Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:50.486{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7522EF6AD8EDD5AACDA6DBC0CF8058E4,SHA256=24450D93ADE1D274379B1DC680B2A9E1397B1469ACEDCD9C2BC8B02FE0EB61A0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445983Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:47.705{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-51856-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001540972Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:48.394{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65114-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001445982Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:50.173{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A0F71BEEFCD0E12B424A806C217789EC,SHA256=2B4C83A080CF0A03DD956C76D6BA276D482F332CC2D8372547E07F7984326265,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540975Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:51.866{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=863FF8C31D771DF8925162290CD9D160,SHA256=F00E4FDF5178F90E5D9BCB54B33CC8A8B0F8C8FE3B662456C310B2D9C4E561AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445988Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:51.486{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28C3062BD9E2768DA5B4CA88A661A893,SHA256=63F95AE6435254AE9605F6F0BD501676D023C1AF497187F2282C5640E43A0AE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540974Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:51.010{5EBD8912-18B9-6154-2800-00000000FE01}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210929074147-080MD5=A9A42281E5AC80C7384A9CB787C868D0,SHA256=3FA67950307563E8508E097058F58FAD833FFA00CAA097776E12802F7A654FF7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445987Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:49.876{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-4712-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001445986Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:48.784{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-57827-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001445985Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:51.251{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=44F75685527D600F803F9D2B567AC53B,SHA256=B0F1472FA8A7B885FE9902DEEC3A19A0BD3D4FFB094500B5E3E261A29C73184F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540977Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:52.867{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3346511C8182639A6DF7818077584EDC,SHA256=B8092F41E07BA4903AB0C5EA409D430002417723714F69A77859D2D63A59CE1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445990Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:52.502{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=090649A3F0E4C60B8F61E04EA6017A78,SHA256=03AD3E8F2F2984AF985196FE6F8604432B98B8CB4ADBB0283A61DFE0D1D9DA97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540976Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:52.024{5EBD8912-18B9-6154-2800-00000000FE01}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210929074145-081MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445989Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:52.377{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=93EEED050342674C675D87DD2A7CD778,SHA256=CEF2E96EE09B3AEE433E10976E57CFB036B7A86ACEF8E46B3C188C995B043B90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540978Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:53.867{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A74F72B87D644603E6D3B41639D1AED2,SHA256=0AD32DE2E32EDB8C19EA64A93497E81CCFE174D2B8A2262FA92B27603CBCA7E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445994Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:53.517{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CCFA59526E8DE4382792CC9FC2D5580,SHA256=EA78857EBE512128375CA02304FDF6B15441E039CAF871043E04B1AC623E3B02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445993Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:53.455{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=78D2A59AF054A2C8D2C2D8AEBBC3CB15,SHA256=321AE11DBFC3D6EB215477153D2F7C83348C647201BB8D1E2BA5D0FBCF5BB59A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445992Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:51.732{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50762-false10.0.1.12-8000- 354300x80000000000000001445991Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:50.970{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-10540-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001540979Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:54.867{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=001CC946AD46CFB569B4369A1E75B2F9,SHA256=DA2728F860E62836435B5A9A26033B75B75E28647038DB5F7DA3308546706D22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445997Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:54.564{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7993A034A2F6848333D3054815239944,SHA256=B7A1798242C6FFA1EAB015DD529710867C9585CE4A93552135FC79AAD7D9EC22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445996Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:54.533{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=03B61C9BADF15D896939EF4C32F964AA,SHA256=6B9EC4B566BDA3EE0B8030BB2138BD6F5A59AAF2A860AA91DF12BD30A504313B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445995Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:52.080{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-16347-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001540980Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:55.867{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC5A07B5532D6CA3FA81091EBC97360B,SHA256=129196C79CE3406A13367B685EF611B876F57581EBFF076BF874A69C29D535A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446000Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:55.814{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D7BEC8ADAFE5536487B6F47D5B30B8A,SHA256=4235D1D42E3C26DAB2E5A8DCBBD5BE271759B329F99AB8E29FF6133C23D76270,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001445999Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:55.564{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B77E8BE186F4416BAD93985BFC117C6E,SHA256=BEDBC5D504F50643D221F461B21DC17AB4E6232E86C9B8BDCEAB41E3051A5B5D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001445998Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:53.158{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-22167-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001540981Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:56.867{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6702DD28DC509C724943BF0B550A15CC,SHA256=94B055298EE650E5868D7E337C66AFEAD76B6C28CD7CEB1D7E3031FD77353F9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446002Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:56.892{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=049A07D3942AF6E8B26C2A14665AA067,SHA256=DCE286342D27712A696DC354EBB4795B6C9F6BE2D90F358B5D11EC42D9D59314,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446001Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:56.611{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82544777C96150DF7EA3358D85309177,SHA256=80E855A7FFBF3496033D25F137FA046F2AC60844F0727B703F5B819E053C0630,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001540991Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:57.883{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98B5858D10E63E737B1F1C750588C76B,SHA256=697882A86B2A2FD93E1DEB492F3659A6960F1089F568EAA2CB2FDDB529032067,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446006Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:57.970{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0B01C87AE8F2EEB6027A39C5EEAB6C8D,SHA256=033826A8A14730E089E7439069E9A036CE4D00C64510325EEE30C79E277D5741,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446005Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:57.627{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED1988F8EE2DE5AC287FB30776EB1859,SHA256=7BCDEBCD64C4BE3F24A69A4A0ED313276F08EF13A5401D541CAB0E80E535D08B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001540990Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:57.633{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2C39-6154-1603-00000000FE01}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540989Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:57.633{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540988Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:57.633{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540987Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:57.633{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540986Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:57.633{5EBD8912-18A9-6154-0500-00000000FE01}4165172C:\Windows\system32\csrss.exe{5EBD8912-2C39-6154-1603-00000000FE01}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001540985Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:57.633{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540984Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:57.633{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2C39-6154-1603-00000000FE01}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001540983Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:57.634{5EBD8912-2C39-6154-1603-00000000FE01}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001540982Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:54.410{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65115-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001446004Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:55.517{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-35097-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446003Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:54.248{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-28216-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001541011Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:58.883{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC75AADEF74FA0BBDC1954A8918D6DB8,SHA256=FF2E238418EE73B53C94C69DA0FED2B9BA33A9CB71F3E927D7718EA72CE1B612,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446009Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:58.642{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02D978157AFA894EA17F886F72B71B14,SHA256=B92D8B65C88AE050606E7C46FEB2EE5C11E50FEAA84ED3A8E22BA9E736F86DBB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001541010Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:58.820{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2C3A-6154-1803-00000000FE01}2812C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541009Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:58.820{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541008Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:58.820{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541007Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:58.820{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541006Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:58.820{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541005Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:58.820{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-2C3A-6154-1803-00000000FE01}2812C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001541004Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:58.820{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2C3A-6154-1803-00000000FE01}2812C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001541003Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:58.821{5EBD8912-2C3A-6154-1803-00000000FE01}2812C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001541002Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:58.711{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=24F757CA3A48FCF021866CD0ADAB3B91,SHA256=CE5BB6DD610F299AB1A5FD13B18FF3EEF77F4E2E179D4AC3185CD9994372C27C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541001Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:58.711{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E5AEC81B7B7ACA38066F06C419C3CC8B,SHA256=21DFE9D3ACD77AECD9ADA56E93A7837A8EE12C7186121628EF3E6124A61CE5F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001541000Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:58.336{5EBD8912-2C3A-6154-1703-00000000FE01}37602160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540999Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:58.148{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2C3A-6154-1703-00000000FE01}3760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540998Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:58.148{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540997Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:58.148{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540996Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:58.148{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540995Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:58.148{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001540994Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:58.148{5EBD8912-18A9-6154-0500-00000000FE01}4165172C:\Windows\system32\csrss.exe{5EBD8912-2C3A-6154-1703-00000000FE01}3760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001540993Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:58.148{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2C3A-6154-1703-00000000FE01}3760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001540992Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:58.149{5EBD8912-2C3A-6154-1703-00000000FE01}3760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001446008Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:56.934{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50763-false10.0.1.12-8000- 354300x80000000000000001446007Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:56.595{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-41299-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001541013Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:59.898{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A12309023AEED5C3DAB5C5B308491C6E,SHA256=96D4B9413C59C6042D46235E194FD2E78FD3EEF08EE23812A6DC1D5944AED2FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446012Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:59.658{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1ECE8349EFF14CFF52EFF5B52AFB9BC0,SHA256=3D5DDD664ACD4B2A8FD7783785C39F3F5C12E1B135655168AE68E0001CF5155E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541012Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:59.820{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=24F757CA3A48FCF021866CD0ADAB3B91,SHA256=CE5BB6DD610F299AB1A5FD13B18FF3EEF77F4E2E179D4AC3185CD9994372C27C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446011Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:57.673{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-47280-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446010Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:59.111{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=17570CD1302A7059453A71A62CC3BB09,SHA256=D0DA822E0EBFF698F655F9818CEF8DE8F8492929178243EF1EA0762B35489D93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541014Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:00.914{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE20DA2CB46B950C8A7DA6245EF8CCFC,SHA256=C9F9886CF67730917838A7F2D847D6736A55C14132ED4DED1EB3313503C350FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446014Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:00.689{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14FA3A40C34FD26FF46D370A8137C9AC,SHA256=47B4FE5575529C625B7ADD6BF6993E09158E76988FF7FB5D1AE4F4A3E38EA00B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446013Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:00.174{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=38BCD2BAF90CA8661D3960FD86FD1531,SHA256=4ACDBC9E6818B47717E598CE5258C5B0FCA4CBB6F6D613DFC5F8021FDD0F43E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541025Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:01.930{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F19B784CE2CF844EF618FBEBEAFED11,SHA256=98592DD6BD38781FD2133096C5CCB0C234B384219BB67722F5656D4C6A795124,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446018Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:01.689{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=078680EB922272A26A0A458DD09ED1E0,SHA256=FD822F36E88BFA8E91431D8200AE4F73AB7E3811A4715DD2A95D4C0C181C5A16,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001541024Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:01.727{5EBD8912-2C3D-6154-1903-00000000FE01}59763868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541023Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:01.523{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2C3D-6154-1903-00000000FE01}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541022Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:01.523{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541021Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:01.523{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541020Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:01.523{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541019Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:01.523{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541018Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:01.523{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-2C3D-6154-1903-00000000FE01}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001541017Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:01.523{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2C3D-6154-1903-00000000FE01}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001541016Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:01.524{5EBD8912-2C3D-6154-1903-00000000FE01}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001541015Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:01.055{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AAC77AE6A38D6C1FC086BF3125F6FBC5,SHA256=960FE61D108749BA83A0974C1A6E2AD998E60DE6A1DC2C610B7EFD6AE4F306E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446017Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:59.893{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-1127-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446016Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:04:58.814{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-53720-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446015Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:01.252{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F20B7745EC00402F843BF9B677EB4261,SHA256=2AB1B5FE10EE6EE3FF8E8034BDFEB1B52791BE32254912A7AE9BE71F2BE1F673,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541046Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:02.961{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0123C83FE468FC47B2A65D4DA124E90F,SHA256=3ADE5719F2E87A50199B51DF033CEFC4AA6603FD9804A82DEBDD31B34EAE960A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446020Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:02.689{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3CF5E58FAE12FED86833BA668091B85,SHA256=FB491C7D3C373460E720DF09D03188F7AB3CA6BC96A8A356A6BCBD72AE083678,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001541045Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:02.883{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2C3E-6154-1B03-00000000FE01}1716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541044Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:02.883{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541043Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:02.883{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541042Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:02.883{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541041Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:02.883{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541040Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:02.883{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-2C3E-6154-1B03-00000000FE01}1716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001541039Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:02.883{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2C3E-6154-1B03-00000000FE01}1716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001541038Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:02.884{5EBD8912-2C3E-6154-1B03-00000000FE01}1716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001541037Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:02.680{5EBD8912-2C3E-6154-1A03-00000000FE01}45842360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001541036Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:02.555{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=550C22437585DC90AF5D263AA12528DE,SHA256=7544C3C65ED8CA51D9E8DC9B25B3BDEADB963D3625D25457F8A66E2B3F61985B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001541035Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:02.336{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2C3E-6154-1A03-00000000FE01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541034Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:02.336{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541033Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:02.336{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541032Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:02.336{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541031Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:02.336{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541030Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:02.336{5EBD8912-18A9-6154-0500-00000000FE01}4165172C:\Windows\system32\csrss.exe{5EBD8912-2C3E-6154-1A03-00000000FE01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001541029Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:02.336{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2C3E-6154-1A03-00000000FE01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001541028Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:02.337{5EBD8912-2C3E-6154-1A03-00000000FE01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001541027Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:59.332{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65116-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001541026Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:04:59.332{5EBD8912-18B9-6154-2700-00000000FE01}2944C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65116-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 23542300x80000000000000001446019Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:02.486{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6F2B112935FCB3982BBE54C0F5D190E8,SHA256=C958FD9034CABBF33F971CCCB41423CFEC53B5FE133949AFA0DE318F95249767,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446024Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:02.203{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-13480-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446023Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:01.037{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-7322-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446022Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:03.690{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D335446DFB17A5BC1D487512EA871219,SHA256=DCCA675C4AE275364F253131AFF0AE93EAA5DE27D0C1F26613E5D631932FBA06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541049Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:03.883{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=94EAF7813C5EFBAF7E887A4A083595D7,SHA256=752AF63CBECAE413B3F8E972F9B1DA24172CB27AAA410C5ADE962D01DE01F5B5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541048Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:00.442{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65117-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001541047Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:03.117{5EBD8912-2C3E-6154-1B03-00000000FE01}1716428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001446021Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:03.611{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D4C0B487A166C573A4B1C86F01AA7082,SHA256=0F77CF8A3FF7787C7A96063256BCAADFE9485BF86C38A3C1BD3B87238A004302,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446027Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:02.856{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50764-false10.0.1.12-8000- 23542300x80000000000000001446026Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:04.752{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=166B27E69688769F16D068D62E8C922C,SHA256=1CFF74FDD8C2A61FD28764438A379289E3090579540F145B08F44D8AFAC3BEA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446025Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:04.721{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=747C79241527B3FD59A24779FA1ED2DA,SHA256=9CD2EA8F2E5FE1FDF2C2B3709378D839C9CED8DF34D7BDF7F6539873B36EAD72,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001541058Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:04.648{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2C40-6154-1C03-00000000FE01}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541057Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:04.648{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541056Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:04.648{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541055Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:04.648{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541054Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:04.648{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541053Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:04.648{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-2C40-6154-1C03-00000000FE01}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001541052Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:04.648{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2C40-6154-1C03-00000000FE01}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001541051Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:04.649{5EBD8912-2C40-6154-1C03-00000000FE01}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001541050Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:04.039{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD6C40A2A94E392554FC38C246D21459,SHA256=9C12CC55B1022D10E3E4BEE6F6ABE32A62A59A1BEC3ECF5AD08FC382FA183620,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446030Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:05.877{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D9888862FF4F7BDC6D98985ECD34C210,SHA256=CB9A01DDF5743749F1DE492ECB7F8D5A48BD61E1C5CC76F9DE2573951BF74257,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446029Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:03.338{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-19982-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446028Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:05.736{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9747353D2EC2DD7898ED6474C238E875,SHA256=233083EAD212A0B164E5A8DA7CC359C7B30A6B385724A0C3866888034858CBAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541060Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:05.726{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F53E1F71F45B67F6B768A371A8D98F81,SHA256=BE2A613C623A6D203DFE92C27FFCDC749C8CA1EC838A604F38FC2A9D63816CDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541059Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:05.273{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=798D48887AF40AD315B7AE1910F8BF2D,SHA256=631CD19B5DE268033B39CB25B7FF1773D68EA0BD568926ACC293D6664F8EAE79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446033Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:06.955{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C148AF29442DF2217C89832521248538,SHA256=787A4D3FCD3EA4D1D4753214777C38D620B7F7CA27434FB6542319375CF179A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446032Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:04.470{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-26299-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446031Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:06.768{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66D3D4EF81DD49563F6F8EDE85DCF5D6,SHA256=8C0D124DEB86E54E9DE1D38554DEB2001FE0CE8B0F857C9CF4B186D098F7FC2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541061Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:06.288{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1F434C537E93308476D4C2B58B1694F,SHA256=85532B901AFCE19431B1A5F62D71384EE43DC970026394530A6210B2A6373CE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446035Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:07.783{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F465FFBF85FE13F8FE2E5C21C7F5B2A1,SHA256=5A175F975001DA63D450E6427A280240FC8B7EFC36DCBFE21AD0C7990017D334,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541062Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:07.413{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=033346CDED82F70D4D7526828F8AC825,SHA256=8945AA9028649D2F990CDE22F349964670BCE573EB4FAC59A02B900306294681,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446034Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:05.581{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-31920-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001541064Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:08.429{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29CEFB3D52D2BEF425971BE6A32069BC,SHA256=925130371F999468066EA721DF0F560F9ABE943257259E42224C72F53C0A1A93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446038Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:08.799{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA91E1F7C16E25B9D664D94FB518C844,SHA256=42479DE981FDFBA7B7A52A47E6DA3B55FEE46941F0803347402A9D47E48276DB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446037Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:06.658{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-38259-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446036Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:08.033{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EB7B427A5B18C28FE0569242157001EC,SHA256=2DC4E5969258FF1F536E7E52FED4241D8088EC1A7909E847E5EAF5C15DE9DB92,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541063Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:06.394{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65118-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001446041Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:09.830{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9163ABCB9A5C1F83120C059D2BFE5EE2,SHA256=F774BF2E338A49C331709F9110F81836BD02FF2D17BD89BA20EAD567E15DD66D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541065Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:09.429{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=370DB29ECB9E0C08DE6FD18354A7E5D6,SHA256=00977426B233294C81BE90B6947C4AD9AC5C348E18262E30AEAB2A60CA1F3737,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446040Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:07.751{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-44179-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446039Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:09.315{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F785E0A511CB87D7F84626375CE20171,SHA256=6B310B129DFDECF27E717FE3452F0209E297123397BBC856BC38C9C012C13402,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446045Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:10.846{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4A4E5240472588BE8EC889518F5B0F1,SHA256=62AC258968218AF7FF2BC61438CF58AB579B3481C15AA949634CFA928695E5AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541066Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:10.429{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA45F427DEB5F14B39531F854EE95C71,SHA256=D9F8EB2C73B901661C79FC9570C6EAFB66FA50DC4322569308DCB60048CDB898,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446044Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:09.046{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-50898-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446043Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:08.857{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50765-false10.0.1.12-8000- 23542300x80000000000000001446042Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:10.440{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=117FA6A4BC5129B32B71D301AB556A70,SHA256=C70DD23428281B46F16619EC858962832752763892C6ED25915158B8D80A6BC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446047Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:11.846{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBE0E5818E92DB1E8E8DF22932E8D129,SHA256=BB2D24ABD8D6EC2DDDCB516B8A6757DABEBFAFAF50E0A50A439AEDBC5384FCBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541067Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:11.429{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7D96CB58F6E66B73849237E7A2510C6,SHA256=F779C7CFE96386A97F60CCEB1F7EDF86B4C54265D9D54B818E5999C12E470F1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446046Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:11.518{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5400C16198ED62A461265382A45ED1FF,SHA256=445B0188670C8A816C9CBA9A4F125F7A58AACE5DA3DCB6369CC58EF3F654DFFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446051Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:12.862{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A891981036C5C6A9877A61E9AA69D6CE,SHA256=48AC9680E9877372045212A7F3F5B9F04D8D57EC2F54B365EA4215C97A3253FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541068Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:12.444{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1130BC455BC02ED0DD89BFB9941F51D,SHA256=ACF161B4BFB3586B80C5CFFBE07F2165BF04B842DB8EF6B89F210A366694116F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446050Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:11.223{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-4152-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446049Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:10.142{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-57176-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446048Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:12.627{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6C33DE8306C13103B08BC7B0B40F842F,SHA256=D25CE73951FCF2F129D11DAE28C3C7DC5CEE7CC838A3E0B6CFC9F5B0F82EEE45,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446054Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:12.330{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-9778-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446053Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:13.877{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BC41ADC4C6DFD7966D483B7EC5BF048,SHA256=7339F65A3967EC4B1F87959DB1B5216C7B4E117D3ADC87323E10AB323E20D258,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541070Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:11.488{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65119-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001541069Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:13.460{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7F60E8AA405B35EC2AFB0DF67AD03D9,SHA256=155C0BBB43290103EFEAA218436500FA4B9BD77D6E0008D7BCC953BC588EFF2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446052Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:13.705{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=82A13D468DB4A8221CDCDAD3B435F867,SHA256=A0A26E5F809353B34708840A9F90AE85F342D10731DF1DE5B17C82FE9BC80A2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446058Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:14.940{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE2278AF19546CD81DB101B4D858D973,SHA256=17BC020C8DBC3F884C35FF11C50792146C82F9E06387A226E2DC95C310F90688,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446057Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:13.408{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-15808-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001541078Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:14.804{5EBD8912-194F-6154-A100-00000000FE01}44725280C:\Windows\Explorer.EXE{5EBD8912-1A12-6154-C500-00000000FE01}4592C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541077Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:14.804{5EBD8912-194F-6154-A100-00000000FE01}44725280C:\Windows\Explorer.EXE{5EBD8912-1A12-6154-C500-00000000FE01}4592C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541076Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:14.804{5EBD8912-194F-6154-A100-00000000FE01}44725280C:\Windows\Explorer.EXE{5EBD8912-1A12-6154-C500-00000000FE01}4592C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541075Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:14.804{5EBD8912-194F-6154-A100-00000000FE01}44725312C:\Windows\Explorer.EXE{5EBD8912-1A12-6154-C600-00000000FE01}4836C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541074Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:14.804{5EBD8912-194F-6154-A100-00000000FE01}44725312C:\Windows\Explorer.EXE{5EBD8912-1A12-6154-C600-00000000FE01}4836C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541073Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:14.804{5EBD8912-194F-6154-A100-00000000FE01}44725312C:\Windows\Explorer.EXE{5EBD8912-1A12-6154-C600-00000000FE01}4836C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541072Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:14.804{5EBD8912-194F-6154-A100-00000000FE01}44725312C:\Windows\Explorer.EXE{5EBD8912-1A12-6154-C600-00000000FE01}4836C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001541071Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:14.460{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31B3E75FA98F7C6B0139E8E5FAE12352,SHA256=660A708130DEC58C1BFFD956488E9339636658BBC861A9B4B6A28F44A6D0E0FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446056Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:14.877{69CF5F33-1899-6154-1300-00000000FE01}296NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=A6DA767C10BEF2082C157F5D7C1D5D3E,SHA256=BBFCFC7D5BC339B0E4B02ADACE54C860B4C85BACF55806570B4C31BE35A6A17C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446055Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:14.784{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4C9EC1835FED7268EFCD5D37488CBFC3,SHA256=FDF4E3CE62D0C251F922743603F5F3D4F411DA7142102026DA1CB27419C9C5E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446060Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:15.955{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B13ACF21BDB876B6FF52D4D1A62158A2,SHA256=48A92B6BA4106EB663F072750791F0DA8B9D993AD1D53BBC2EDB9C2680AB2DE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541079Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:15.460{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D884E9D7862705FBD25302BB459E2B55,SHA256=06EF36E6CB75C2AB24300E729A7E4D1E1861607F8DACFA0105633F595287E228,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446059Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:15.877{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E05A9033EE52FE036E4736E0E7E580F8,SHA256=1D03C3F9436504EE88734CC6F3DCBCED7B7F6E87C28621BB16000B2D812F9B5D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001541082Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:16.710{5EBD8912-194E-6154-9A00-00000000FE01}48203932C:\Windows\system32\taskhostw.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001541081Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:16.491{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B573545E68F0BE012569D07BA543E78,SHA256=A6E96C8332D464F1B72BD846C3120E88EAB7E8C24652D60B2195A569DCBF9559,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446062Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:16.956{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AB68AE6C23FA41F3750BB5B601AB28FB,SHA256=93B781EE42BE9D928F1C1EDE409A2FB91D59D23F86A3E03D68D8584376FC6C67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446061Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:16.143{69CF5F33-189A-6154-1C00-00000000FE01}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001541080Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:16.429{5EBD8912-18AC-6154-1400-00000000FE01}9481636C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541090Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:17.944{5EBD8912-194F-6154-A100-00000000FE01}44725280C:\Windows\Explorer.EXE{5EBD8912-1A12-6154-C500-00000000FE01}4592C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541089Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:17.929{5EBD8912-194F-6154-A100-00000000FE01}44725280C:\Windows\Explorer.EXE{5EBD8912-1A12-6154-C500-00000000FE01}4592C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541088Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:17.929{5EBD8912-194F-6154-A100-00000000FE01}44725280C:\Windows\Explorer.EXE{5EBD8912-1A12-6154-C500-00000000FE01}4592C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541087Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:17.929{5EBD8912-194F-6154-A100-00000000FE01}44725312C:\Windows\Explorer.EXE{5EBD8912-1A12-6154-C600-00000000FE01}4836C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541086Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:17.929{5EBD8912-194F-6154-A100-00000000FE01}44725312C:\Windows\Explorer.EXE{5EBD8912-1A12-6154-C600-00000000FE01}4836C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541085Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:17.929{5EBD8912-194F-6154-A100-00000000FE01}44725312C:\Windows\Explorer.EXE{5EBD8912-1A12-6154-C600-00000000FE01}4836C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541084Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:17.929{5EBD8912-194F-6154-A100-00000000FE01}44725312C:\Windows\Explorer.EXE{5EBD8912-1A12-6154-C600-00000000FE01}4836C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001541083Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:17.491{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9BD60850588C79BE0F8BDA630C173F7,SHA256=6A52AE58C2A9C215E871F59EDA9A006542E832FA17BC215C18DCB2C904010290,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446065Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:14.486{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-21838-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446064Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:13.888{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50766-false10.0.1.12-8000- 23542300x80000000000000001446063Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:17.002{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FE746DA6BBB7CF888E8009128D030F6,SHA256=486E922840DD4D9D5D63437CCC78EF4B98716E5628EC5B253B4D22A47CE7A269,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541091Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:18.491{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65816294970B200710670D855D8FFFB2,SHA256=053F437846487DC82A81488B0325071633654672BE9C5F4B6254C5B62B74A894,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446069Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:15.825{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50767-false10.0.1.12-8089- 354300x80000000000000001446068Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:15.579{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-27266-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446067Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:18.018{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E2AB260FA5ED6C9FFFC4567FEB745080,SHA256=8FF19B8802DBD75774CCAAF43F5A73C17575561C80DED45CD3E504DAF9A2571C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446066Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:18.002{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AB713161C42732F416396CE83C79CAC,SHA256=0602375963BB3ACF943B01F02A9CC871880D922642D3ECA8E9A0A112CB55BF1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541092Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:19.491{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=054A6D62E3C29BE7FD311F8E97A212A2,SHA256=35996F4AFF66284B9FFA3EFD2176C40FAA35A5614374FFCC9D94482761A8190B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446072Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:16.657{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-33318-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446071Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:19.112{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6EB7F4F0AF129F3357C91B784DEA7344,SHA256=397677BA69E5CE4A537AA559DFA4777C3CD33A80CC533401EEE6F169D0255478,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446070Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:19.018{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A59E9D5C986FBC324B27BC5A6DC1B9C,SHA256=1C5304DA46CDE355175C919E47B51ABE414776DA53113C11F9417506ACED54F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541094Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:17.425{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65120-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001541093Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:20.491{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21865A845DCD69707E146E58DEF1967D,SHA256=69BBFEF25B943548A85FDA6208BA459731EB732E40EEB4B0846503318E61DBBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446075Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:20.190{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D13F0AE4CDF167CBCDF45731ED8392E0,SHA256=7D203F4401C1D3CEFF598DE9F529B988E7B4595D6B78D26E133EF4B51885167C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446074Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:17.735{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-39364-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446073Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:20.018{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=029904CD7A9C03E5B7EF770EE1879854,SHA256=510D57F4CD8ABAEB1AEF916774D703A2CBC53D33D4CD65FF64CD5D5F54ED53FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541095Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:21.491{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E76594CC87D28E052510F55E2D38C658,SHA256=A091243512AE81B3033602B4D3C796A7281E40F0203C2F0D2FF84098098B34E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446078Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:21.602{69CF5F33-189A-6154-1B00-00000000FE01}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210929074117-081MD5=0702FCA431B00B594F1E453E1BACB4E7,SHA256=E8701800C5303E9A26BD1B4295F1925FD873002633D318A1D6DD61AA6CF56A5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446077Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:21.349{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2EB84596F414CCA038304B279CF4EDA8,SHA256=269E608082867D6856A0F858C139418736360BC150F79CAFA62CBB6E45D7BBB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446076Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:21.034{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30376903B2097FF1D02A609F7C76CAB9,SHA256=6CFBD45144C63B45B16CC81BF2D6666847463681AC0EF3283780CDB4F3A57CB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541096Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:22.491{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68C5FE1DADF745AE6B3FA915925D3FEC,SHA256=57FCDA2548C5570C7446C0170CFBA675C704F5E184D26806D2FE0110EF54EB2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446084Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:22.604{69CF5F33-189A-6154-1B00-00000000FE01}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210929074115-082MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446083Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:22.477{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2F4FF2E1F2A324ED126A2D0DABD17E90,SHA256=B0BC75BF865566557AC220E1C1E5918BF631FCCF595D294A24F51F1DE162E0F7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446082Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:19.925{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-50831-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446081Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:19.715{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50768-false10.0.1.12-8000- 354300x80000000000000001446080Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:18.815{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-45011-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446079Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:22.040{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AAC1F5B668816C312B1C4F53BAC3474,SHA256=4782B7A17E0E1E5A0C799FA7C7B967F472B746811064D4BE7F6466524E0157A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541097Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:23.507{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABE2ECF0C0AD87166D12F990A98F0D2B,SHA256=89863C051AB2E783BC4E088536F16340740FAC09EE95284380642AA13E24CB67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446087Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:23.556{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=56FDAFCAA43D43B7F0A6763031CC7DE0,SHA256=9D25A8DB664362A6D9A8FE547CB0259FBAC5E7741D348F3FA60AB8B3BEA2D7C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446086Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:21.067{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-57146-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446085Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:23.053{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=962CB70D0E187473FDBD8F780887E2A2,SHA256=63A1BDC8BB0BAF51ADC92B40BB8F89B666B97BFAD5943F3D3F4A5BF4F352EBBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541098Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:24.523{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41C69D7EFCF9AE5835B3110397177FA5,SHA256=1E39E81B60687C419F2993B4FC8659AC2B527A42383DF025EFB6D27F3590E58B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446090Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:24.634{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67E71765218F7D0E0C5A6E69C67A6198,SHA256=FBB5526A01A9DDCAF0FE58C12304C0A022DB4F2FD65C4AFC700C2BECAF8B2A8F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446089Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:22.179{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-4268-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446088Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:24.056{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=119ABDBBBA7F8CC3A0CE5158E7CD5C04,SHA256=ED13D96EDAD655DDCCCFDB459756DBFE94F34B63538B44F4ACEAA2499C0C12AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541099Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:25.527{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBBADF50B78CF8806D708D6AD79CD953,SHA256=4361CAB75C39A429320B794CBCC00FC1947BB0420ABE40171152395A60080C90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446093Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:25.712{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ACE53B0FE05F539ECFF0CD88E58C19CC,SHA256=78E16D3D888DBC28A9CF7D08466242B8D0D2FEE4E4A0FBB9413906311335F0D9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446092Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:23.258{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-10099-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446091Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:25.072{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=153D08DD7A74EEADA45F29B198D3EB51,SHA256=78690EAFC75B96FE25A8A8ED31B0E568DE5D5650B656E9CCA763A55884835618,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541101Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:23.394{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65121-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001541100Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:26.527{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95768131832E1A633DC63ECC986E53AA,SHA256=AC66FF2D10EB126933F89A5AE7C9BEB9879113E537D6C994C20FFBCE7283A845,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446096Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:26.822{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D41B6186E3EFB96457793EDF49ABDB66,SHA256=D2F1DD38D986C848B0FEF188E0E111EDCFAD24ECBB2CD1D0EC6711F35DAC77DC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446095Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:24.337{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-16015-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446094Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:26.087{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10672E9FD39635EA04071FE990F17A48,SHA256=8738533343C032C70CC229CCC2A4A75E249C1A07ED68DEB3BAE67DDB80ED82E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541102Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:27.527{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=248FE415FEEBEE3AF6EEB056E8E0DA63,SHA256=BF9BD2E6FA62E85D4B059E15C352A65DC99879B48BFAF7855F5D21025578E507,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001446112Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:27.525{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2C57-6154-E302-00000000FE01}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446111Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:27.525{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446110Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:27.525{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446109Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:27.525{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446108Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:27.525{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446107Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:27.525{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446106Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:27.525{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446105Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:27.525{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446104Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:27.525{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446103Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:27.525{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-2C57-6154-E302-00000000FE01}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001446102Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:27.525{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446101Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:27.525{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2C57-6154-E302-00000000FE01}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001446100Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:27.526{69CF5F33-2C57-6154-E302-00000000FE01}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001446099Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:25.426{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-21639-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446098Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:24.878{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50769-false10.0.1.12-8000- 23542300x80000000000000001446097Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:27.103{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51EAFB0C7C34E42D89D8389BA81431BC,SHA256=FB8934B01BDB936EA85B495F081DFB073F6CFA8591739056D290C936CF0B3052,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541103Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:28.527{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B29DAB24E94F7DB0FDD161ECA737E741,SHA256=D8D6501490C86A3845699DF21A072AECDEB43FDD297D19E0E0C155BA58AC98C8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001446129Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:28.619{69CF5F33-2C58-6154-E402-00000000FE01}784404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001446128Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:26.571{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-27946-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001446127Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:28.384{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2C58-6154-E402-00000000FE01}784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446126Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:28.384{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446125Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:28.384{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446124Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:28.384{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446123Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:28.384{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446122Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:28.384{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446121Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:28.384{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446120Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:28.384{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446119Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:28.384{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446118Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:28.384{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446117Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:28.384{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-2C58-6154-E402-00000000FE01}784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001446116Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:28.384{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2C58-6154-E402-00000000FE01}784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001446115Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:28.387{69CF5F33-2C58-6154-E402-00000000FE01}784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001446114Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:28.119{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE20907D9FD26AEBA750602CD41F66EB,SHA256=E037F3E77546830F3EC42CDB305317E0690DCF5EC2336CA7B785FFA209E775F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446113Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:28.056{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6EB5E838CC4397DA2420AD7D657D53E8,SHA256=34E8965FA54E74CE4A3EB2D389272CBC444101DB00158893DD691BB9529E3F61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541104Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:29.527{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BF4837A3F6792E65F4560ED92DC770B,SHA256=807AC0756EF0E2E908371FCEC0BAA2567D68DD261529F51882B093B532EAD802,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001446145Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:29.681{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2C59-6154-E502-00000000FE01}1696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446144Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:29.681{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446143Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:29.681{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446142Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:29.681{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446141Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:29.681{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446140Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:29.681{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446139Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:29.681{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446138Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:29.681{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446137Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:29.681{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446136Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:29.681{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446135Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:29.681{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-2C59-6154-E502-00000000FE01}1696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001446134Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:29.681{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2C59-6154-E502-00000000FE01}1696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001446133Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:29.683{69CF5F33-2C59-6154-E502-00000000FE01}1696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001446132Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:27.759{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-34423-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446131Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:29.150{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=49B26828855AFA1AB9CDFBE4EC09A9D3,SHA256=841E1FE5B3ACD6050CF759B7DECF8FA1986D6B5A76FC5990C98FA41E78729E9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446130Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:29.134{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22392C6A4B90ACEB35980C2FC3FF43F3,SHA256=43EB95B7CF15F47B3BCD0FB0C59A4A7E401478B732F3AAD89AF87B68066A53E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541105Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:30.527{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57B52AEA9E6A8838E4ABC3867DAF5BB5,SHA256=DB5E5A5D646119CC2644B85DCDFDD674FC642477E8813183630F77EED90D4400,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446148Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:28.866{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-40502-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446147Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:30.275{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9315D161C300072B6E4E108CB59379C9,SHA256=54DBB0E3A28E48D5A1FCF79A767ADF07316FCBA268F17EE78D00D22BFA9E1016,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446146Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:30.150{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DFB2106593E53D1F3B006F289BC478D,SHA256=252431CF3D137986DD0E84DB42E22ADD591A481787DEAF67E8816CBB42FF59F0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541107Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:28.539{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65122-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001541106Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:31.542{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD5F82EAD89FE8E4FA76AC1A9B573299,SHA256=570F9ABB7A5F30C8DF667C5474B936775008F8EF91AB97278E53E980388B8F16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446150Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:31.478{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6D8AFF7E1669E4B9C15223D006A8E0D2,SHA256=77D10F6171DAC7894249C27C2EB35AD6EDED5173F6AC1F71543B17DCC407358D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446149Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:31.166{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8861782D20CD9DC9972E289143D16D98,SHA256=A138A83BAB16B4152A389D638AC9B6E47B52F700FE66F702A4F5F4D88CA8652F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541108Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:32.589{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=758694008694B3F903104C73742472F4,SHA256=75BA425976F2C24625425F79A00C986EB71FBD9E2B16C4CD17E90BBA082BE91F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446155Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:31.180{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-53191-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446154Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:30.831{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50770-false10.0.1.12-8000- 354300x80000000000000001446153Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:29.993{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-46682-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446152Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:32.556{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E37CBFF448A5A60A11BDAD42C16D15B4,SHA256=E02BA80FF044F9E5E1C2FB8FACA7BD0825825C1BFD3F7E3F07B2EA09510BA60C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446151Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:32.181{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D24E9FFA0A6600FD878B49DCD2235B6,SHA256=41BBCD2C2D545E30632E79D3F69AEBDD980783D52F382504A14539739CC0ABBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541110Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:33.808{5EBD8912-18AC-6154-1100-00000000FE01}444NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=9A7E42D72683D400F4B6E39F91809B20,SHA256=AE8E8F58F0E04F6ED6286B919F7C9EC21F93B4DA34D503910D474FCD6E5D88E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541109Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:33.605{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A195CB97204AF6B922F2152A957A7310,SHA256=39FAE12E0850AACE179B19B75C417297C6D2F39861E9E6AEB01BFD2CEF76B08A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446157Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:33.681{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4DCA423DB585F9A3B2D4CE272940B220,SHA256=9DE23783CA9CEF6F2FD9B7E35D4EEE29025F70EF49ED4C4E7EAB66D424680BC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446156Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:33.197{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8987F6F0CCBE3327F2DD56709702EC06,SHA256=2601DDFE60DD56BB5C061511A6197FD35FCF798FCC07DA73B1C66E0855F77F68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541111Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:34.605{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8299E23B66148137416B1A6ECED48569,SHA256=81C55F0D1ACA581B14E0753356545948769349483DFCA4F6D0C46ACBD718444E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446159Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:34.853{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=47757E6A46371F8BCE7C99E7588277B2,SHA256=D0C0B29041FF5B2E87E6B37AEA2B575BFD4E616ADEB9A9C28AFE0A5D9F372E8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446158Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:34.213{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC507FC420CBF2C04ABEACB10B3625FB,SHA256=911F1221BD0B79B30A584D7EAA4BB1734899BBF8C47C6AFD422D3823AB211407,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541112Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:35.621{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C061DB09BD47793622569C947F40025,SHA256=1BA472A5CC12BD696BBC28F5E4A3DC5AECD95FDE466EC100F20703F9B89A5827,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446163Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:35.947{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B48CC4BA7FF9A58DBB4DB558A803EB52,SHA256=977307273FC92B9105F80BB0E891BC233286F262B0B2231C5E4C10BE44662648,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446162Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:33.399{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-6112-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446161Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:32.272{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-59025-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446160Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:35.228{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFCCAC5446C8EFA025BE3FDA4402B020,SHA256=389B20EFB1799A85021439B466B91A89F32C3C92E99522A6185A93133003D05A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541114Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:34.477{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65123-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001541113Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:36.652{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=579D88970CCD5726A16E6B238A6B8DB1,SHA256=04810FB5E030BD8C0EFD7BE2B7804A3346160AFCFE3BF8461F8C098B975E360F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446164Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:36.244{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDF831D5B6F577DE97A15E10E0BD34B3,SHA256=0BDAB2826713A62B9D151017F89F104485784B93CDEB327ADF080DC98A82DC2F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001541125Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:37.792{5EBD8912-18AC-6154-1600-00000000FE01}12721792C:\Windows\system32\svchost.exe{5EBD8912-2C61-6154-1D03-00000000FE01}4596C:\Windows\System32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541124Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:37.792{5EBD8912-18AC-6154-1600-00000000FE01}12721320C:\Windows\system32\svchost.exe{5EBD8912-2C61-6154-1D03-00000000FE01}4596C:\Windows\System32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541123Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:37.746{5EBD8912-194C-6154-9000-00000000FE01}28444276C:\Windows\system32\csrss.exe{5EBD8912-2C61-6154-1D03-00000000FE01}4596C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001541122Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:37.683{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541121Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:37.683{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541120Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:37.683{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-2C61-6154-1D03-00000000FE01}4596C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001541119Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:37.683{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541118Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:37.667{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541117Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:37.667{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-2C61-6154-1D03-00000000FE01}4596C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+37172|c:\windows\system32\rpcss.dll+3df8d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001541116Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:37.682{5EBD8912-2C61-6154-1D03-00000000FE01}4596C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXEC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{5EBD8912-194D-6154-AD8A-090000000000}0x98aad2HighMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{5EBD8912-18AB-6154-0C00-00000000FE01}852C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 23542300x80000000000000001541115Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:37.652{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48FDC305B3797ADAE4C82C349BDF4D33,SHA256=FAB06DABB4A7633DADDE8E1CD7B095D816E9795F8AD82C652AABEE70E6C1BAE2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446168Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:35.648{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-18349-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446167Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:34.571{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-12336-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446166Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:37.244{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEFBC351FD3B2D922B40FC235CFF902B,SHA256=A63FBBE4D694C6F009DF3876E2DD23BC41E7A2FBB08F5A049A53EBD37C2846D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446165Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:37.025{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=36A4F4FB312175D35FCFCBED4EF92B0B,SHA256=6A7B2FB614943B3C2F54C071BE309F3DD0B0AF8A9C197947935D15380B9D0B1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541128Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:38.667{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=85D12E07306711C5EC8B4E3623C13D8D,SHA256=5C3D81A3CED812F9185D8F083E491D797F780F47B4906AAB8CB0DA137029C94C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541127Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:38.667{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9376ECA515F3C644D8B6B5B5CE5FA03,SHA256=71EFF463E779379C7F1BDD6C9F81A389D43F3A5ED25AD918C8562AA72174A35D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541126Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:38.667{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0B069609A610A104ADA6F1A73085EC5A,SHA256=DFB48A349709F003749A5DF9D0F1F32607738FF74972A5060F9F567D866A9590,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446170Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:38.260{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53481E02CEAF197399797F5D3E956F82,SHA256=E0472ABB52BDB0746A069FD78D5CE4131B8C7A3E3D51B1CEB131B123EEEF5E64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446169Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:38.104{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=26685EBAAF2EC606E21EEE43DECC3DE3,SHA256=26D200E015B7A16C06FFD2265430118C89621783242132BF474E09E1BEE58D17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541159Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:39.980{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BBE6E7A1D50AF7C21560A7EB56FB78E,SHA256=0EC7B185AEFCFF93C05F5522CA4555475AF0C520C6B278D6883B47FCE9890813,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446174Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:39.275{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED9D9E688BF14DB25A7E3817A82AD49C,SHA256=F18460449CDCBD2F809868A3754788F4C4E908707D86B9F994928C0CF7ECDEFD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001541158Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:39.542{5EBD8912-194E-6154-9700-00000000FE01}50682368C:\Windows\System32\RuntimeBroker.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001541157Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:39.542{5EBD8912-194E-6154-9700-00000000FE01}50682368C:\Windows\System32\RuntimeBroker.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001541156Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:39.542{5EBD8912-194F-6154-A100-00000000FE01}44723740C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541155Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:39.542{5EBD8912-194F-6154-A100-00000000FE01}44723740C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541154Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:39.527{5EBD8912-194F-6154-A100-00000000FE01}44725280C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541153Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:39.527{5EBD8912-194F-6154-A100-00000000FE01}44725280C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541152Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:39.511{5EBD8912-194F-6154-A100-00000000FE01}44725280C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541151Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:39.511{5EBD8912-194E-6154-9700-00000000FE01}50682368C:\Windows\System32\RuntimeBroker.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001541150Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:39.511{5EBD8912-194E-6154-9700-00000000FE01}50682368C:\Windows\System32\RuntimeBroker.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x80000000000000001541149Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:39.496{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001541148Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:39.496{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001541147Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:39.496{5EBD8912-18AB-6154-0D00-00000000FE01}9085340C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541146Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:39.496{5EBD8912-18AB-6154-0D00-00000000FE01}9085340C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541145Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:39.496{5EBD8912-18AB-6154-0D00-00000000FE01}9085340C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541144Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:39.496{5EBD8912-18AB-6154-0D00-00000000FE01}9085340C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541143Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:39.496{5EBD8912-18AB-6154-0D00-00000000FE01}9085340C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541142Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:39.496{5EBD8912-18AB-6154-0D00-00000000FE01}9085340C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541141Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:39.496{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541140Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:39.496{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541139Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:39.496{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541138Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:39.496{5EBD8912-18AB-6154-0C00-00000000FE01}8522516C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001541137Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:39.496{5EBD8912-18AB-6154-0C00-00000000FE01}8522516C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001541136Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:39.480{5EBD8912-18AB-6154-0C00-00000000FE01}8522516C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001541135Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:39.480{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541134Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:39.480{5EBD8912-194F-6154-A100-00000000FE01}44725312C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541133Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:39.480{5EBD8912-194F-6154-A100-00000000FE01}44724384C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541132Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:39.480{5EBD8912-194F-6154-A100-00000000FE01}44724384C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541131Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:39.480{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541130Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:39.480{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+4bfa5|C:\Windows\System32\TwinUI.dll+23084|C:\Windows\System32\TwinUI.dll+23138|C:\Windows\System32\TwinUI.dll+2444f|C:\Windows\System32\TwinUI.dll+22a1d|C:\Windows\System32\TwinUI.dll+22871|C:\Windows\System32\TwinUI.dll+15bffd|C:\Windows\System32\TwinUI.dll+ced8f|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541129Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:39.480{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+4bfa5|C:\Windows\System32\TwinUI.dll+230ec|C:\Windows\System32\TwinUI.dll+23125|C:\Windows\System32\TwinUI.dll+2444f|C:\Windows\System32\TwinUI.dll+22a1d|C:\Windows\System32\TwinUI.dll+22871|C:\Windows\System32\TwinUI.dll+15bffd|C:\Windows\System32\TwinUI.dll+ced8f|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001446173Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:39.182{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C687442B16F060C230F9C0E39439BD42,SHA256=A4932A69C3C8FBCAE682C312DB9EBD0DA772AD7CE6A214E044EC9C9C93B9B144,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446172Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:36.800{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50771-false10.0.1.12-8000- 354300x80000000000000001446171Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:36.727{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-24164-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446177Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:40.291{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBA4DEBB08878E1A32F8D76121D18723,SHA256=356FC3C8A78ADDD9322FC55346E4A0BB531B0F83A610B629D3BE7BB6DC11A2FA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001541166Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:40.933{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001541165Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:40.933{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001541164Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:40.902{5EBD8912-18AB-6154-0C00-00000000FE01}8522516C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541163Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:40.902{5EBD8912-18AB-6154-0C00-00000000FE01}8522516C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541162Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:40.902{5EBD8912-194F-6154-A100-00000000FE01}44723632C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541161Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:40.902{5EBD8912-194F-6154-A100-00000000FE01}44723632C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541160Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:40.887{5EBD8912-18AB-6154-0C00-00000000FE01}8522516C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001446176Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:40.260{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4265784C769DDF27500224C5AC6D1E66,SHA256=82319C9EF7845754B79119F1F78B52AEAE6AC0F17626A675A6B88841F8A673E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446175Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:37.805{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-29737-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446180Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:41.401{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B0EC28F84D35299FEAEA4CC135701495,SHA256=D855EAF7B1C04BA347062B06A1A6DD0A43056A4274ED79F4452CA5DC3A022B54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446179Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:41.292{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=453DB72A1FAB7B48E8F4C7D84DD4272D,SHA256=ED967087FFE3E12B93174EA6828E2A5AEC53B25839463BB6A9626B9882BBC261,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541167Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:41.011{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D9036ECB946FE27B77A128927DC900D,SHA256=537BF5E8EF7BF72D04432946D085C70C3FCAED680172170D6DFB19DE777A5AF8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446178Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:38.886{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-35666-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001446197Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:42.979{69CF5F33-2C66-6154-E602-00000000FE01}1088712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446196Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:42.760{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2C66-6154-E602-00000000FE01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446195Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:42.760{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446194Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:42.760{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446193Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:42.760{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446192Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:42.760{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446191Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:42.760{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446190Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:42.760{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446189Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:42.760{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446188Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:42.760{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446187Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:42.760{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446186Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:42.760{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-2C66-6154-E602-00000000FE01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001446185Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:42.760{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2C66-6154-E602-00000000FE01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001446184Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:42.761{69CF5F33-2C66-6154-E602-00000000FE01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001446183Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:42.479{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=813D4AA5558B53D049F24AB7805B312F,SHA256=2F2EEF9FF75E80DE10B1F3C8EEEC3D882B1D5009598B3B4EBE8A073E2EA2EDBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446182Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:42.307{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D68D5ED1EF6212A34B20A27366D9B98C,SHA256=39E455D6BF5FB787AEBFB10AAF1DA9B525FB1C874EE21C2F9C81617BE1F3567E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541169Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:40.524{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65124-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001541168Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:42.011{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9872BE89C39D8F7B1DAD5586ED5DFD47,SHA256=79AF72F35EE87C73B3F831DE4F01B3324F2F5FAFED717B39EA07669332A2C18C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446181Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:39.975{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-41642-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001446226Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:43.932{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2C67-6154-E802-00000000FE01}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446225Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:43.932{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446224Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:43.932{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446223Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:43.932{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446222Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:43.932{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446221Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:43.932{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446220Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:43.932{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446219Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:43.932{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446218Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:43.932{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446217Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:43.932{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446216Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:43.932{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-2C67-6154-E802-00000000FE01}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001446215Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:43.932{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2C67-6154-E802-00000000FE01}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001446214Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:43.933{69CF5F33-2C67-6154-E802-00000000FE01}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001446213Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:43.744{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=597778C27BEA489C166152DCCD1A6AE0,SHA256=B07A5D2D5925842F1D80858CC417F4FC4FD397E5153F8410F3C9DE0EC371993B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446212Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:43.744{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1EF7DA7F032414FA45EB642AF908402F,SHA256=F37677C10E73D26EEB70C5FDEA2AB3607839BE033D1636905C03D84540B6A9BC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001446211Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:43.479{69CF5F33-2C67-6154-E702-00000000FE01}39162756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001541170Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:43.027{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E46FAC64958589A08424C9E0F6C88F6,SHA256=DF920ECBA2A6715E835AA0185CC8EEA7138DDD585A26AB8E6315219A398F1392,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001446210Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:43.260{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2C67-6154-E702-00000000FE01}3916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446209Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:43.260{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446208Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:43.260{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446207Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:43.260{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446206Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:43.260{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446205Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:43.260{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446204Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:43.260{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446203Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:43.260{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446202Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:43.260{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446201Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:43.260{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446200Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:43.260{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-2C67-6154-E702-00000000FE01}3916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001446199Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:43.260{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2C67-6154-E702-00000000FE01}3916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001446198Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:43.261{69CF5F33-2C67-6154-E702-00000000FE01}3916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001446244Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:44.838{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=91F9BD40319075984B6ECB9F37C11B10,SHA256=6FBA949178AF7EE2438F274027C9EBB869D8876A1174E5104D7752D9B8A10D6F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001446243Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:44.604{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2C68-6154-E902-00000000FE01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446242Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:44.604{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446241Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:44.604{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446240Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:44.604{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446239Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:44.604{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446238Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:44.604{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446237Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:44.604{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446236Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:44.604{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446235Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:44.604{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446234Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:44.604{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446233Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:44.604{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-2C68-6154-E902-00000000FE01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001446232Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:44.604{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2C68-6154-E902-00000000FE01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001446231Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:44.605{69CF5F33-2C68-6154-E902-00000000FE01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001446230Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:44.541{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2292007C0F59BA32876C4D22CF1E3FB1,SHA256=C927B01CC292FF32F40B227EB8D2242A63F4288D4063F54F5D9D56A57808AD3D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001541173Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-09-29 09:05:44.808{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXEC:\Temp\evil_spooler - Copy.dll2021-09-29 09:05:44.808 10341000x80000000000000001541172Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:44.746{5EBD8912-194E-6154-9A00-00000000FE01}48203932C:\Windows\system32\taskhostw.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001541171Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:44.089{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B4EAF718B52B3DC7F8FFF34B5FCC01C,SHA256=D8225657A3C7F0D8BD6D64E6DE3AB8D9EF26B9C318601A2526460EEA7019214C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446229Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:42.195{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-53711-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446228Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:41.101{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-47579-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001446227Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:44.151{69CF5F33-2C67-6154-E802-00000000FE01}37923504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001446248Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:45.948{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7F37B72A621E46B28C3391FB9628A3DB,SHA256=BBCC9E6A8BFFB366A943436A256283ADFFB1017FF504B2F4A97872BDFDE66903,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446247Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:45.588{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA5553594B978EBE802AA5E85F1AB118,SHA256=DF9DACEFC99BDED07FCB4332774FE5042958BF6D250565D89DE07BB3F3188D84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541174Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:45.089{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3661C27F6D953751BF1DB68A0BDDDFC4,SHA256=E9CC7ABA9226D51C6945585317CDB22C855512349CE70106BC7ADA84DD01D700,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446246Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:43.428{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-1363-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446245Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:42.816{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50772-false10.0.1.12-8000- 23542300x80000000000000001446250Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:46.604{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5729B11291145D2047B16ECD0C0E6804,SHA256=91CF4DF6279BDBA1126F03B5EC900E872A4D4EB08990FCAC6AEB5718214ED1F9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001541185Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:46.218{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001541184Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:46.218{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001541183Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:46.218{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001541182Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:46.218{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001541181Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:46.218{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001541180Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:46.218{5EBD8912-194E-6154-9800-00000000FE01}42641372C:\Windows\system32\sihost.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541179Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:46.187{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001541178Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:46.187{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001541177Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:46.187{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x80000000000000001541176Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:46.093{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4849DC4B9A1B37DC372E2261AD521142,SHA256=126CD3D7718B5C98E8BB3263EC48815223F87EC889B795E3423046C34E5534EA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446249Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:44.551{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-7686-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001541175Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:46.062{5EBD8912-18B9-6154-2900-00000000FE01}2960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446253Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:47.635{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC0A9C1322EFBA94D7CDC13CB7EC05C5,SHA256=936132985C33EDEA68C726C4833B1AFD5BE3AB71AF4C3B7C86923D444AFD3B05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541186Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:47.093{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4F558F4D31A42827D93AA8CDA4BE093,SHA256=60EC1AE2DFD20F33496E11333E9715B2374EA6063A58C5AEC99B89EE5C877EDD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446252Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:45.729{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-13893-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446251Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:47.120{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B30AFA911F39CC5E71310AA21B74B8DD,SHA256=A9BC9745444E75DBCB87292BBD6C66620812C9074ADBC5D24BC7F3AEB7E2A5A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446256Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:48.651{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C175EF255A67132C99B1E13D27625D30,SHA256=B104417D418507861A216F9D0D1CD10E2D32C4BFD0ADC479393F394FFEBBEFDA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541188Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:45.340{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65125-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001541187Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:48.093{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F7378AE71E9B0342A9700A466C2024B,SHA256=CD6FA3290B25C5BDF03025584D75B7F324F4B81B8CEB83895C16FAD13ECBC1F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446255Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:46.831{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-19509-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446254Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:48.338{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A8A6C407A0052913C47EC46D1D240E82,SHA256=4A47B64ADFE2227FEA19F6D1381A16C13E268A43CF1C1C8AE07B26467D4662A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446260Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:49.682{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33E2C4A0A0E3C1FBB0EDDA2C00647F32,SHA256=08E88CCC42E7D575E3793F21428AA63AA6B35BD7067A170D58FF191AD1EA6433,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541190Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:46.481{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65126-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001541189Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:49.093{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42139581BDA014B0B875724121326B93,SHA256=DCE1CECE4875C914B9EB2BA9843CF47A7BBD989C44FE7A137869840B17515BDF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446259Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:48.039{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-26291-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446258Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:47.878{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50773-false10.0.1.12-8000- 23542300x80000000000000001446257Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:49.479{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=475F12D19905278F20F7089C894F7CB8,SHA256=94CE51F14538A17637DF41DCE5D85ABA86A1ED6A35A2331F698F0B5502F18762,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446262Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:50.729{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BC042F5763740D92868905F27DE3194,SHA256=9095E55E5E397AFB2A8566DBBFDF47E4338FF9FB59B3A5E5DB6F69B59539620C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541191Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:50.125{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D47D28FD149E92145A6AE0E518005396,SHA256=190023A260276376AFD9251D036FC72CE144EADB64785A38398B7D4389465625,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446261Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:50.557{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5CEEC401D9BD45BAB517FB73BA9275D0,SHA256=713C6343D722CFC9CD46CD2C7B52169A48C493FA94D89688F56F0DA6E8DBFD4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446265Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:51.776{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B3866DEC6C42AFEB3A0158E305D6205,SHA256=3633437E03DCA705AE938155964AC481E850FB7E9C3C57F6C6F66BC56670C7DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541192Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:51.234{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C26B2AEAEBE489A18CB206E25914E344,SHA256=292B17E8B5896541A5328EB5035C3261C670B3F129F8025AFDFF8562E3EADFE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446264Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:51.760{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C307F4776E5CC9BC35F28CD8789A3787,SHA256=9E6CEE592C8D904F8F193A40135E706230CF0D4BF285078B09D5439523A6AAA8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446263Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:49.179{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-32720-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446268Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:52.839{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5CDAB1D080FF2EF7C22306EA7361CDFB,SHA256=76A6C65AEAE68C0E4CDB183275449F94EC8962D7D063F28132997F1C72DF620A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446267Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:52.792{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47BDFF1083C08CDE3DBF242A5D7B1138,SHA256=96CBBDBB3D0C4C4CA5FA5E0151FC622BA5CF8BBDA6CF0AC31596EE6189A7956C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541194Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:52.552{5EBD8912-18B9-6154-2800-00000000FE01}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210929074147-081MD5=A9A42281E5AC80C7384A9CB787C868D0,SHA256=3FA67950307563E8508E097058F58FAD833FFA00CAA097776E12802F7A654FF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541193Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:52.236{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBDA60399F34C29213488B456024F749,SHA256=21E8AADB34C868E1F5F6B8336D164E8FCD7750797D4686DB193A831BBAAB7D32,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446266Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:50.347{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-39221-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446271Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:53.932{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DCE817663C20472C1EDA6B5611FFB840,SHA256=3F7C029CE89849FAAF8AA38AAA0A256728EE072073D6AF952130C9F946CAB7E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446270Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:53.839{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFFF1BA6F8418446AA8CBE6B52334A4E,SHA256=4874E6E429EFD1E09B6158DE6F9045A6A8B0C157040E24B6B8A39A8169397F9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541196Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:53.563{5EBD8912-18B9-6154-2800-00000000FE01}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210929074145-082MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541195Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:53.249{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C49AC9814EAF5658EAB68E9051D1871,SHA256=9B0308C19BC55F84033D3E0D82145AA4BF5878A43593EE2656F0EE27B27111E6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446269Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:51.461{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-45292-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446273Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:54.870{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E13A2606F962715FF9F995084A53C3DE,SHA256=BFA3B73EC00A2B721811E31B37F2E3FAAB2BAF9D809439361C5576374B71114B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541198Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:54.472{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14B26569BAA03C26C9FCF00B3658E9AE,SHA256=DAADCF198F5972C6B888743433EA51DEEE4B1C61879A0D7F939A159B4EE798DC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446272Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:52.539{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-51363-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001541197Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:52.371{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65127-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001446274Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:55.901{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5706F2D21634EE47A66D323D7F33876,SHA256=15C1E4D4FD9147F148F912DE25E081CB56DB3AD10C8027A0257FA986C2C538F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541199Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:55.519{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8198FD7D232AA9C798D72CB46B94274B,SHA256=06C8E0D738A8BD95D023AB6C83501ABAD2A7ABB2F36293AACF14EE43455B2D5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446276Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:56.932{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA320E56B3F7AE0C9591D97EEBAE8E6A,SHA256=2ED87AA995A4E7149D1AFAD80976A588F9633185A9AE60DE9B0C305BC9D56527,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541207Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:56.675{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C17CA06F58D94104F8A25DB104D31DD,SHA256=A7135AB8E0396F8C7D233C18C1789A720BB857A11BF44C969EE849D197EAD207,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446275Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:53.894{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50774-false10.0.1.12-8000- 10341000x80000000000000001541206Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:56.612{5EBD8912-194F-6154-A100-00000000FE01}44725280C:\Windows\Explorer.EXE{5EBD8912-1A12-6154-C500-00000000FE01}4592C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541205Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:56.612{5EBD8912-194F-6154-A100-00000000FE01}44725280C:\Windows\Explorer.EXE{5EBD8912-1A12-6154-C500-00000000FE01}4592C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541204Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:56.612{5EBD8912-194F-6154-A100-00000000FE01}44725280C:\Windows\Explorer.EXE{5EBD8912-1A12-6154-C500-00000000FE01}4592C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541203Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:56.612{5EBD8912-194F-6154-A100-00000000FE01}44725312C:\Windows\Explorer.EXE{5EBD8912-1A12-6154-C600-00000000FE01}4836C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541202Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:56.612{5EBD8912-194F-6154-A100-00000000FE01}44725312C:\Windows\Explorer.EXE{5EBD8912-1A12-6154-C600-00000000FE01}4836C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541201Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:56.612{5EBD8912-194F-6154-A100-00000000FE01}44725312C:\Windows\Explorer.EXE{5EBD8912-1A12-6154-C600-00000000FE01}4836C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541200Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:56.612{5EBD8912-194F-6154-A100-00000000FE01}44725312C:\Windows\Explorer.EXE{5EBD8912-1A12-6154-C600-00000000FE01}4836C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001446277Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:57.948{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70F83D893CB030576C9A4D2399895187,SHA256=B415F263E20C61046F3933E4BC198EEEBDF2F8CEA8CACB532E8C1E80777726EE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001541217Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:57.972{5EBD8912-2C75-6154-1E03-00000000FE01}54644868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001541216Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:57.675{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=619269CA8D1EE97276236D96E0B9CE8D,SHA256=E6E866279657BAB11D3A180B9C1F325D7F012643696D635D3BD406F441E8E67F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001541215Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:57.659{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2C75-6154-1E03-00000000FE01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541214Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:57.659{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541213Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:57.659{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541212Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:57.659{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541211Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:57.659{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541210Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:57.659{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-2C75-6154-1E03-00000000FE01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001541209Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:57.659{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2C75-6154-1E03-00000000FE01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001541208Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:57.660{5EBD8912-2C75-6154-1E03-00000000FE01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001446278Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:58.964{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAF28C5327747F314E72B33709DB4DAE,SHA256=E6337837C4171A29B9F0CB2F400189894DB53633583FFE71933165DB1666863D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001541236Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:58.878{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2C76-6154-2003-00000000FE01}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541235Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:58.878{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541234Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:58.878{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541233Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:58.878{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541232Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:58.878{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541231Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:58.878{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-2C76-6154-2003-00000000FE01}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001541230Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:58.878{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2C76-6154-2003-00000000FE01}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001541229Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:58.880{5EBD8912-2C76-6154-2003-00000000FE01}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001541228Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:58.690{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A83FB82DA3D202D4C52D2C7637388383,SHA256=D8C3295E27CEE7BC75507A91303C1752246113F947E34114E864F61E6D7CA32F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541227Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:58.690{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=85D12E07306711C5EC8B4E3623C13D8D,SHA256=5C3D81A3CED812F9185D8F083E491D797F780F47B4906AAB8CB0DA137029C94C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541226Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:58.675{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C66CD7E3781E5E136ED836A9925498F,SHA256=BD907E19F954C54F30ABA135953EA7B3CAB3CAFDC5BB2168D0709721DFA1D893,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001541225Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:58.331{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2C76-6154-1F03-00000000FE01}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541224Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:58.331{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541223Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:58.331{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541222Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:58.331{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541221Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:58.331{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541220Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:58.331{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-2C76-6154-1F03-00000000FE01}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001541219Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:58.331{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2C76-6154-1F03-00000000FE01}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001541218Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:58.332{5EBD8912-2C76-6154-1F03-00000000FE01}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001541246Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:59.878{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A83FB82DA3D202D4C52D2C7637388383,SHA256=D8C3295E27CEE7BC75507A91303C1752246113F947E34114E864F61E6D7CA32F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541245Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:59.690{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CEBB018030DFBC856E79D18BB62675E,SHA256=60324F48ACED337EF8E6EA57C75E7EDB2D2670E114A26FE83F343721A248AFF5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001541244Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:59.097{5EBD8912-1A12-6154-C600-00000000FE01}48364192C:\Windows\system32\conhost.exe{5EBD8912-2C77-6154-2103-00000000FE01}5640C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541243Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:59.081{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541242Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:59.081{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541241Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:59.081{5EBD8912-194C-6154-9000-00000000FE01}28444332C:\Windows\system32\csrss.exe{5EBD8912-2C77-6154-2103-00000000FE01}5640C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001541240Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:59.081{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541239Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:59.081{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541238Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:59.081{5EBD8912-1A12-6154-C500-00000000FE01}45923200C:\Windows\system32\cmd.exe{5EBD8912-2C77-6154-2103-00000000FE01}5640C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001541237Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:59.093{5EBD8912-2C77-6154-2103-00000000FE01}5640C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient" /v DllName /t REG_SZ /d "C:\temp\w32time.dll"C:\Users\Administrator\ATTACKRANGE\Administrator{5EBD8912-194D-6154-AD8A-090000000000}0x98aad2HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{5EBD8912-1A12-6154-C500-00000000FE01}4592C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 23542300x80000000000000001541248Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:00.690{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9241DB6DC98D9D9352F18E1EA95284D,SHA256=674F8098B909B3413B6BBD076195599FB5F37157CB6B9D3164C67C7C422D6CBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446279Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:59.995{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=454976D0A3BCC22556652E1CFC8F8AA0,SHA256=0D5FD595187EFADFF44BEC7A9386B647C2B1D0475DA632907D6032D84F49A27D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541247Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:57.375{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65128-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001541281Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:01.821{5EBD8912-2C79-6154-2203-00000000FE01}24725448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001541280Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:01.800{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99238B0DB642C7AF47173C980DE36A12,SHA256=A08084180C1FF05B84A92DBA369B497BDE5FF12601BA1F580856BEC613B2CE01,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446281Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:05:59.894{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50775-false10.0.1.12-8000- 23542300x80000000000000001446280Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:01.026{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27E81E4A413A65CC5CAC9F5994ABCE1F,SHA256=E484466131991A2844D82E560CAE2C289839C6CB8C4AB2D277E2118254A94DFB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001541279Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:01.646{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541278Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:01.646{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541277Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:01.646{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541276Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:01.646{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541275Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:01.646{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541274Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:01.646{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541273Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:01.646{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541272Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:01.646{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541271Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:01.646{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541270Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:01.646{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541269Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:01.646{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541268Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:01.646{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541267Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:01.646{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541266Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:01.646{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541265Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:01.646{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541264Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:01.646{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541263Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:01.646{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541262Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:01.646{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541261Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:01.646{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541260Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:01.646{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541259Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:01.646{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541258Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:01.646{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541257Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:01.550{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2C79-6154-2203-00000000FE01}2472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541256Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:01.550{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541255Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:01.550{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541254Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:01.550{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541253Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:01.550{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541252Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:01.550{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-2C79-6154-2203-00000000FE01}2472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001541251Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:01.550{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2C79-6154-2203-00000000FE01}2472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001541250Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:01.551{5EBD8912-2C79-6154-2203-00000000FE01}2472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001541249Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:01.081{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8DC35E946D646C72B013A81BBBA717AA,SHA256=49AACA5D4E79C7F9B9790E9DB6C1096BBC43E0AEB16618D8D15CEB05E2592FB5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001541302Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:02.862{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2C7A-6154-2403-00000000FE01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541301Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:02.862{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541300Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:02.862{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541299Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:02.862{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541298Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:02.862{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541297Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:02.862{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-2C7A-6154-2403-00000000FE01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001541296Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:02.862{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2C7A-6154-2403-00000000FE01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001541295Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:02.863{5EBD8912-2C7A-6154-2403-00000000FE01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001541294Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:02.800{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EF0F2A1F01058CE5D2EDF0CB21BE536,SHA256=865D091A02DACA302B79E5047301C0B2710C84F7EDF38DBC7D4F26DBFCD0C40B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446282Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:02.073{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F98C811C7508536D68A8B5DDA16A6EC9,SHA256=8944D56A600F456BCEBAEE9345E438657D99BCFA631D4BE341C6C5A3AB71ED4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541293Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:02.784{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=25D88ACB73FCB87A863060AED3E00235,SHA256=E8BD85A8A9A134226425778A1372026919F1F1901344B55A059D424584A8CB44,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001541292Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:02.582{5EBD8912-2C7A-6154-2303-00000000FE01}58244436C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001541291Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:59.344{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65129-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001541290Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:05:59.344{5EBD8912-18B9-6154-2700-00000000FE01}2944C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65129-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 10341000x80000000000000001541289Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:02.362{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2C7A-6154-2303-00000000FE01}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541288Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:02.362{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541287Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:02.362{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541286Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:02.362{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541285Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:02.362{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541284Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:02.362{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-2C7A-6154-2303-00000000FE01}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001541283Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:02.362{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2C7A-6154-2303-00000000FE01}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001541282Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:02.363{5EBD8912-2C7A-6154-2303-00000000FE01}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001446283Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:03.089{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD7BFF8104033958C1EDE04B2B469544,SHA256=6AEEDD993756926D4932610E23F7CF1C7BD141BF7201883775D462B4DBCB2467,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541304Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:03.940{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1405B06E06B7D2EE24181E5C89C108DE,SHA256=3DAB6179EADC682AE6C5441919CCDCD1C0AAC9ECADCB466332BC427A5439D33E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001541303Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:03.065{5EBD8912-2C7A-6154-2403-00000000FE01}33565936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001446284Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:04.105{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55BC8CA8FC06775629792EC367F5BFCA,SHA256=7A4E9F831344686A1F1A06FED9D079FA63A8A68CF0054C07EBDF1C82F51ADFF3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001541314Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:04.659{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2C7C-6154-2503-00000000FE01}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541313Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:04.659{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541312Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:04.659{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541311Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:04.659{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541310Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:04.659{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541309Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:04.659{5EBD8912-18A9-6154-0500-00000000FE01}4165172C:\Windows\system32\csrss.exe{5EBD8912-2C7C-6154-2503-00000000FE01}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001541308Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:04.659{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2C7C-6154-2503-00000000FE01}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001541307Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:04.660{5EBD8912-2C7C-6154-2503-00000000FE01}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001541306Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:02.422{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65130-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001541305Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:04.019{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F22456303B2CE8A234F2355A832347FB,SHA256=CFE87855D280365080468303AD698DC1FF984F5E65296D0DE7164EE27F24A3BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446285Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:05.152{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D35A11D3467EA3EF8E15E272483C25A7,SHA256=8D73F9D792979D22C5BD0B75E0246CE9D6110A2159F2EF1B6E4E58830F1FDCEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541317Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:05.668{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D5B29C340FB1C37CF532FDE72F98DA0A,SHA256=8D2B7F943507F3FD758F25A880DDA7D7559FF732A119490F119D8FC2B1F795D0,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001541316Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 09:06:05.605{5EBD8912-2C77-6154-2103-00000000FE01}5640C:\Windows\system32\reg.exeHKLM\System\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient\DllNameC:\temp\w32time.dll 23542300x80000000000000001541315Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:05.019{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=005BC86A4819518B02D68576C962D0FE,SHA256=20A30EEBE90BD61C7F4BA268E972B070A3956D8DF05A51469D745E42EEB14D9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446286Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:06.167{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E959923F5721A26C7756615BC4D80CA,SHA256=9093E4D311EB5833F88A288B8812126D25BFFE197D3ACCF27C21F26DE8D38B21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541318Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:06.043{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77C1E5762A53BF6C815E6B6EA1797943,SHA256=E034E32021106278C196158D1792E72A04DFE3599FD0FBF6FE3F02727E6A1B65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541319Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:07.043{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=931903D9BEB99FB2444E3F090BFEE203,SHA256=787FAAEFAFC40FD6F18EA0B5CD14A367D9AA4800D04E6E8F97B27558942ED801,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446288Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:05.816{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50776-false10.0.1.12-8000- 23542300x80000000000000001446287Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:07.214{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DE702C953183A8498ACA69E132C483D,SHA256=0661B2844BB027E9FEAD4335EA5E8F7B7E72942B3D823FB57969D01AF468689F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541320Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:08.043{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C03AEC47AC8B4FBE16F03A01640FA91E,SHA256=06628681DA9DD59F63DA210701094D9F8AD8AD4D9B578103BA64689FF7F265CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446289Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:08.245{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E79D9F0BBF6D506B452A76C12D7F8971,SHA256=AA7F3B340CC67D211C0313747438DECC953FE88E289970D2EC5ED724CC047B39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541321Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:09.043{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E228BADDE8D5965687739E7275CE4664,SHA256=4782E3EF0E7BDAC61B12E3D9B443D35E00B2582D85D1F4DA03ED13E8CAB35925,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446290Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:09.245{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCEAF9324E3E916DC09BADFB6FA74C5E,SHA256=FF1B01B43C1E19895F736E40E1CFCB7CB2638377987230297BE7C4A9E11F9E5C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541323Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:08.400{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65131-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001541322Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:10.230{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FA5D12C785A0F6F840E256675621D16,SHA256=C9AEFFEE01D4077AEEE127496B0CACAAC8C37A45B5518CA15872ED3E8797B4AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446291Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:10.355{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5140B170E24D940677CEC993A48CEFFC,SHA256=32646BF4ABE203789F344F5FBF07398F154342BF88CF5215D32E294B415962E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446292Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:11.355{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5C5C3064BA01358F9DFA65A9F15C115,SHA256=EC48D805D1784E62D1C07980ADDED60D8F5F3B9DCAE1E35BAE56ABC986A0439C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541324Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:11.246{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13BA072E04C4DB8CB562A539F18A7257,SHA256=26D0C5AD29703E02749670D8697BB7836A34A8F3DD466BDF3E1B03B3017C8F06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541325Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:12.246{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0147B9595BC02B56FD53C19D9F8A7FDB,SHA256=3F6E9FD000B391972E191F5E3119210525DE39FFBA86BBCB814E877E3A03DA28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446293Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:12.371{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91706382D28BEC8AC5DBFA297B7C0D3E,SHA256=2DFD9D128FAB58AA11EE4050086242CD0E04044E795C6C0C4DF326F87B676FB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541326Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:13.293{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CAE6364799F475C0E9A5257D9E85CFF,SHA256=7A852BFA968AE79EB7F49D129EB2E5F4CA48094F2E1998F9AF866F80FE696CC6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446295Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:11.800{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50777-false10.0.1.12-8000- 23542300x80000000000000001446294Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:13.402{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B6434CA97551F3DD2888E2756C90FE3,SHA256=F634B0444AEAB1506BE68DB5EC8988B41B5CC640EEE3E823490F14914394919D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541327Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:14.308{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C8DACE49EE4E31BB3141F043CBEB837,SHA256=D6334674389FCE1334D61305C7AE8D22AA986408A1CA1ACD79C2536B4486E630,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446297Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:14.886{69CF5F33-1899-6154-1300-00000000FE01}296NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=046B3D4CA12E114390A6A84AE40DB926,SHA256=3138B5F0C97EEF872FD4EACC19C26B397350E1329096BD8E87C2384FBE04E85C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446296Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:14.402{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A16A74B62F3B72E44C3E42AC017EAD3F,SHA256=232DA50F5EA26C92C78095AB4913D5B657195E4DF680A6AFAB496F9886E3D1CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446298Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:15.464{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AD118443EADC2172A1E111E50B421E4,SHA256=13CBED111C491E3FFAB906FADAB05B2AB36B6BE4606F8967220084583EFA7587,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541328Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:15.308{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBEB9CAE76B7A271D348A6CA95285424,SHA256=9D6F16AE99EABFC01E3D4FA16275357B70736F8969E8BCB1DD6D5A0B46776A73,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541341Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:14.353{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65132-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001541340Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:16.433{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541339Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:16.433{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541338Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:16.433{5EBD8912-18A9-6154-0B00-00000000FE01}640844C:\Windows\system32\lsass.exe{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001541337Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:16.340{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBE13EEA851DE0B700F8D39ABB30CE52,SHA256=AAF52B237949888F60A31D13C3D2A5903A71CDF1E816C9064BE930548C78CE19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446300Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:16.480{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EE64EAD166A43C551A2C1601D91A63F,SHA256=034C5D320AAD4184F5431A082CBB04C3A970DD183417D6AF9AE67EC5F3DF1AA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446299Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:16.168{69CF5F33-189A-6154-1C00-00000000FE01}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001541336Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:16.215{5EBD8912-1A12-6154-C600-00000000FE01}48364192C:\Windows\system32\conhost.exe{5EBD8912-2C88-6154-2603-00000000FE01}5156C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541335Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:16.215{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541334Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:16.215{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541333Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:16.215{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541332Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:16.215{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541331Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:16.215{5EBD8912-194C-6154-9000-00000000FE01}28442320C:\Windows\system32\csrss.exe{5EBD8912-2C88-6154-2603-00000000FE01}5156C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001541330Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:16.215{5EBD8912-1A12-6154-C500-00000000FE01}45923200C:\Windows\system32\cmd.exe{5EBD8912-2C88-6154-2603-00000000FE01}5156C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001541329Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:16.226{5EBD8912-2C88-6154-2603-00000000FE01}5156C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClientC:\Users\Administrator\ATTACKRANGE\Administrator{5EBD8912-194D-6154-AD8A-090000000000}0x98aad2HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{5EBD8912-1A12-6154-C500-00000000FE01}4592C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 354300x80000000000000001541349Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:15.740{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local60536- 354300x80000000000000001541348Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:15.739{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-429.attackrange.local61629-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x80000000000000001541347Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:15.739{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local49846- 23542300x80000000000000001541346Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:17.574{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FB029669DE402FE7C9927E2A88457B6,SHA256=6151A7D2D8F4716F675D035FA86EC1B311B93A7CA51297B2BC238818E24602A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446301Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:17.496{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F77DD5667298612F2A48D4350F579B0,SHA256=31C076AF6DA95CCA9EAF696AA83E8BB9F5C001BA4337F0D406C61C387F035113,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541345Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:17.433{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=1FE6F6A8B4B618DFAF6ECF543510CC9A,SHA256=8AF328D62DA7741943B551CB572923776D75BE485D8221D3920097387B83FDD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541344Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:17.433{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=4E70F997C0339C45B279D6C8670008B6,SHA256=94A29E295E7739EB9CBEC29340516872F9D9378F4DCC246266C845AE70040942,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541343Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:17.293{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F0935006CC79ABF83EDA1CED7DC2DE4D,SHA256=52C9730E107FEC0131CFCCEB5A7A91B965E169C50245CCCBDFB7C8F1124060BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541342Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:17.293{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=13A6ADEE636E3BA4B16E7F07D6716BBB,SHA256=E70396E26017AF580FBC1B42535826DC484BB6B4CDD687E9EF2CD25D0274B4A2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541351Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:15.744{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-429.attackrange.local65133-false2.16.106.171a2-16-106-171.deploy.static.akamaitechnologies.com80http 23542300x80000000000000001541350Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:18.590{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53FA1C3C4E5DDC23E215B9E0724A29AE,SHA256=B59A4B7DE48D82015492E4ED439178387FE59BC41265925C0CCE430D7F430B41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446303Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:18.497{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1F3DC482621BFBE8E94D47687EC3533,SHA256=F43D55B68865FA46BDC0552632A824D64BBA0298D1648BBA0D4B42DC160E89ED,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446302Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:15.831{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50778-false10.0.1.12-8089- 23542300x80000000000000001541352Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:19.590{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CD680C2C9E171CD57B58F70DDEC65B2,SHA256=8B1161C5331F80E2DFE831B11E071F24712B5661EAC5EB7E4CC746B8883F4EDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446304Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:19.528{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05B3A01D8AB92A1B1C4FC578E8958798,SHA256=A99BE5C8601FF42B470CDEBE7430B966CD0F4AEC68320AA12CB6E918DCA58E1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541353Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:20.605{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D57F50A88C75B6BE552AAF4ED15D254,SHA256=9350C2E03AF9BEE225ADF9B38361005325F8378380D5D2733D39BB574628FBB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446306Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:20.544{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB58C8B84162BBBA5FF5A1C434375B81,SHA256=AEC41DD2E12D9510DDF5FE4DCD6711BF630BCE03D6CF1595AFC9749D622C3709,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446305Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:17.769{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50779-false10.0.1.12-8000- 354300x80000000000000001541355Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:19.580{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-54250780-false10.0.1.14win-dc-429.attackrange.local49672- 23542300x80000000000000001541354Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:21.606{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2261972EA6E5BDDD7D505ACD9DB81715,SHA256=32035D388D30C3BDF239E808AE58EC89ABDFAF69E27212E80964830479ADB79F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446309Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:21.575{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93B9F7610AD4F4D3EA05262BAC5B4852,SHA256=8D2F37645EFE0A576F23B2B4F1565B17CC436ABEB2360EF01A300B02E51231F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446308Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:21.357{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4C85C7A2716C7986086A2C3CE841CCC6,SHA256=75CE11B09E1917C2E48AA972EB4396B6ABDAC69DFA25EAD692F5212C56420BCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446307Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:21.357{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C7086BEF46EA4FDA2508CA103309789F,SHA256=7C0FB8441DF440C86867249D0FD48C08419DF16CA70EFFE2A7F112724B30C6A5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541357Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:20.384{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65134-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001541356Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:22.840{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0A8FA05112849230D2BE47A7D5E8068,SHA256=B6916C45C39DA3B55E416288CC3478FF99E878D4CED9C6D3CFFCDC43A6E8CE8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446313Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:22.607{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C6D504341FC546C37333DB6F871D271,SHA256=D9966D141F13287E29A0DBB82D4F8F8E2CDD4A1C32902C86D586197FD02E8ADB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446312Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:22.482{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4C85C7A2716C7986086A2C3CE841CCC6,SHA256=75CE11B09E1917C2E48AA972EB4396B6ABDAC69DFA25EAD692F5212C56420BCE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446311Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:19.931{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-52636-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446310Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:19.905{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-52503-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001541359Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:21.381{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15WIN-HOST-54256290- 23542300x80000000000000001541358Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:23.840{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9903CBFD2914721548F7F3335B55BA80,SHA256=EB03BA942ED29BA2C196B6176C49E219D1443A7B3F96D246582549A69A2ECB0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446317Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:23.638{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=699608376D5DD0A2FD4A6E7E2016FF02,SHA256=FFD62E9EBF61A7DE03A07B938086E5E944B2024C9C2ECAF61FF49F9D0D6BE6DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446316Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:23.559{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5BEFCA44CF25D78BC8B046A39678692A,SHA256=F592CF90D64E3FC667D66C3DEFFA53CFE5CBCA32B291A9D347062292145E5A44,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446315Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:20.015{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50780-false10.0.1.14-49672- 23542300x80000000000000001446314Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:23.124{69CF5F33-189A-6154-1B00-00000000FE01}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210929074117-082MD5=0702FCA431B00B594F1E453E1BACB4E7,SHA256=E8701800C5303E9A26BD1B4295F1925FD873002633D318A1D6DD61AA6CF56A5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446323Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:24.653{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=113C4BEC2237A3BBD3AD3F79FEE26F19,SHA256=47F4D0A3EE8EC661A85553710F9BEC1EAE0C00FDBC33D7C3A38A0D80EA61799E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446322Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:22.181{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-11065-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446321Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:21.823{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse10.0.1.15win-host-542.attackrange.local56290-false10.0.1.14-53domain 354300x80000000000000001446320Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:21.816{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:88d1:47ea:8a92:ffff-56290-truea00:10e:0:0:0:0:0:0-53domain 354300x80000000000000001446319Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:21.072{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-2661-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446318Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:24.138{69CF5F33-189A-6154-1B00-00000000FE01}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210929074115-083MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446327Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:25.700{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4145CB39276697F867A557B3978D6BA,SHA256=696D7B34C5735B5AE72174F6099255602D6F81A6B4C9CD55864CB2C15234E769,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001541370Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 09:06:25.203{5EBD8912-18AC-6154-1200-00000000FE01}452C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient\SpecialPollTimeRemainingBinary Data 13241300x80000000000000001541369Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 09:06:25.203{5EBD8912-18AC-6154-1200-00000000FE01}452C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastClockRateDWORD (0x0002625a) 10341000x80000000000000001541368Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:25.215{5EBD8912-1A12-6154-C600-00000000FE01}48364192C:\Windows\system32\conhost.exe{5EBD8912-2C91-6154-2703-00000000FE01}648C:\Windows\system32\sc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541367Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:25.215{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541366Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:25.215{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541365Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:25.215{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541364Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:25.215{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541363Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:25.215{5EBD8912-194C-6154-9000-00000000FE01}28444276C:\Windows\system32\csrss.exe{5EBD8912-2C91-6154-2703-00000000FE01}648C:\Windows\system32\sc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001541362Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:25.215{5EBD8912-1A12-6154-C500-00000000FE01}45923200C:\Windows\system32\cmd.exe{5EBD8912-2C91-6154-2703-00000000FE01}648C:\Windows\system32\sc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001541361Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:25.217{5EBD8912-2C91-6154-2703-00000000FE01}648C:\Windows\System32\sc.exe10.0.14393.0 (rs1_release.160715-1616)Service Control Manager Configuration ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationsc.exesc.exe stop w32timeC:\Users\Administrator\ATTACKRANGE\Administrator{5EBD8912-194D-6154-AD8A-090000000000}0x98aad2HighMD5=BD31EB150F6547D18329E5F00801D1CD,SHA256=8A775B86CE1A057E290CCD26C59C96070684468A3119790743A346CD54F4DFDF,IMPHASH=A68324ADB4F5664AF8A79E04062F4A92{5EBD8912-1A12-6154-C500-00000000FE01}4592C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 23542300x80000000000000001541360Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:25.058{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D44D8037E7CCCA5EDEEC3B9719F12EB,SHA256=069891A89097F6E11F35BDFC8B9C1F9A884C41B93D44A4475C9C84AA3734E2E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446326Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:23.288{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-18821-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446325Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:22.894{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50781-false10.0.1.12-8000- 23542300x80000000000000001446324Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:24.997{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7DD602476ACA36D93A490FF732692A74,SHA256=B0B91193F0361249A4CC8E46480B00F0C9D8B095DE90AF26472AAD5BAA93F794,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446329Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:26.731{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F768C8EAAF894700043C491510C605BC,SHA256=B5D90CEB8F04DDE8845ED316C22FC90D6AB2F92039C02CAC1AA8105C84EFAEB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541375Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:26.194{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=D78C23013C9C162E4F4BB45A08FD3830,SHA256=172A626EC923B0919A4F6EE1B31019B242FFA263C372D0A7200D2FE74345DD71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541374Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:26.194{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=1FE6F6A8B4B618DFAF6ECF543510CC9A,SHA256=8AF328D62DA7741943B551CB572923776D75BE485D8221D3920097387B83FDD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541373Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:26.194{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=90235D321007CC43A2A459E25E281B3A,SHA256=CF3F7C1F16BEB90BB0656F9B7CD40217B8910F5791CE4E05BC5FC8C6FB245D2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541372Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:26.194{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F0935006CC79ABF83EDA1CED7DC2DE4D,SHA256=52C9730E107FEC0131CFCCEB5A7A91B965E169C50245CCCBDFB7C8F1124060BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541371Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:26.038{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED5E630E90E68D2DC756D48727115DA5,SHA256=AD0B6BE604BB9418863375138E05E791450C630DA91693665FBA27514BEEE609,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446328Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:26.122{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE157892BF4565B6D50EA9ECF46B02FA,SHA256=9C49E7443C908B0D068435D0DD20FFD49D8F131BDD08153F4FC8F3BD1893A1BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446346Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:27.762{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BBF56672BC9240D11103A13839FEDB6,SHA256=A8871D7E8B895F2B640719F262A0CC81C231EB4D4C915C4A549907CBC52122BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541378Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:27.038{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC9F4B4E2FAD8AAD36E497F52C5BBC6B,SHA256=2C7A83FC1DCF77E70438DC85DAD1086550D63A2EF49583BE2F7FFB93AE2CCA0D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001446345Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:27.418{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2C93-6154-EA02-00000000FE01}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446344Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:27.418{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446343Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:27.418{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446342Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:27.418{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446341Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:27.418{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446340Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:27.418{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446339Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:27.418{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446338Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:27.418{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446337Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:27.418{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446336Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:27.418{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446335Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:27.418{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-2C93-6154-EA02-00000000FE01}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001446334Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:27.418{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2C93-6154-EA02-00000000FE01}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001446333Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:27.420{69CF5F33-2C93-6154-EA02-00000000FE01}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001446332Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:27.372{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=550745DDB2E885AFD7A6DF958AC1E740,SHA256=91A5D0DC0C74AD7EB457FE6A4492DF61584A1B9B84F246F58E2A7ABEB60210B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446331Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:25.828{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-37632-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446330Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:24.707{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-28911-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001541377Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:24.530{5EBD8912-1892-6154-0100-00000000FE01}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-138netbios-dgmfalse10.0.1.14win-dc-429.attackrange.local138netbios-dgm 354300x80000000000000001541376Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:24.530{5EBD8912-1892-6154-0100-00000000FE01}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-429.attackrange.local138netbios-dgmfalse10.0.1.255-138netbios-dgm 23542300x80000000000000001446362Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:28.762{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C3028E54B949EBB6092C84D48805B31,SHA256=70F2764E70AE281BC5D3BE8CF26FADA295E6F917D683C7D42BA667F3D0E8141E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541380Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:28.038{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8507011A700C1467848D767B6F8D8D2A,SHA256=E1D158D35FC8936AF894FABEC3CE23E88ECC88B9C8F9BC19327356330FBF9AD1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541379Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:25.513{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65135-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001446361Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:28.622{69CF5F33-2C94-6154-EB02-00000000FE01}5123016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001446360Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:28.434{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A717901676F94D43847560C9BB53708C,SHA256=AAE5D5EAC25A0FE94137ADE5A33FBB867F79D4DAD41F6BC8B096D1A148CB067E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001446359Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:28.387{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2C94-6154-EB02-00000000FE01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446358Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:28.387{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446357Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:28.387{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446356Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:28.387{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446355Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:28.387{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446354Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:28.387{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446353Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:28.387{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446352Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:28.387{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446351Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:28.387{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446350Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:28.387{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446349Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:28.387{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-2C94-6154-EB02-00000000FE01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001446348Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:28.387{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2C94-6154-EB02-00000000FE01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001446347Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:28.388{69CF5F33-2C94-6154-EB02-00000000FE01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001446378Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:29.794{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8ECBDD093ECC1FCEDE7A90E40860CB9,SHA256=46243EE12E715F14964710BD2EAC034CE28A4E07EDC05914D43D34BF364326C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541381Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:29.038{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=764DA575B7B0D5B4173A2C08810307B7,SHA256=C1E4AF6C9E76B4DC6B9AC37AA882BA6E18FCB7D3400B1DEA128FE476021862ED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001446377Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:29.700{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2C95-6154-EC02-00000000FE01}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446376Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:29.700{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446375Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:29.700{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446374Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:29.700{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446373Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:29.700{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446372Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:29.700{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446371Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:29.700{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446370Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:29.700{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446369Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:29.700{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446368Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:29.700{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446367Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:29.700{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-2C95-6154-EC02-00000000FE01}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001446366Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:29.700{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2C95-6154-EC02-00000000FE01}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001446365Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:29.701{69CF5F33-2C95-6154-EC02-00000000FE01}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001446364Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:27.072{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-46738-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446363Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:29.590{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FDF471AC768FEEAD41C1295A24889369,SHA256=0C94F0ECF09E705399A972CB2AE8B6A69C185C1620901F7525E0B49737BD1EFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446381Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:30.856{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A78AA2DFE30013C84DE78166350695CC,SHA256=D57001BDD1474A654E7DC0A1A19072CD2878317A1F9B26DEDC78C12DB188330E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541382Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:30.038{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91688980F691D20FD9D3065D2976EF2E,SHA256=1A7F177A21F952DD1B47EC1779FFB45FDAFBD49D801FDA0E89167511FF8CCD06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446380Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:30.778{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5D848BEDF76AA399FB00FDF5A2A500DC,SHA256=6BD274985B9C4193F867ABE30F0CCDE9C91201A01708631A160675D1251A9E61,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446379Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:28.180{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-54902-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446383Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:31.887{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD6FE29F5D7FF8DC1651A338F1506F27,SHA256=8430E3EDB566C270AB3963B202D96ABA64168514E09EDEE67F708F296A4D41B6,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001541395Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 09:06:31.413{5EBD8912-18AC-6154-1200-00000000FE01}452C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b511-0x4b5e97e4) 10341000x80000000000000001541394Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:31.413{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541393Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:31.413{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541392Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:31.413{5EBD8912-18A9-6154-0B00-00000000FE01}640844C:\Windows\system32\lsass.exe{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541391Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:31.397{5EBD8912-1A12-6154-C600-00000000FE01}48364192C:\Windows\system32\conhost.exe{5EBD8912-2C97-6154-2803-00000000FE01}2296C:\Windows\system32\sc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541390Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:31.397{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541389Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:31.397{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541388Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:31.397{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541387Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:31.397{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541386Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:31.397{5EBD8912-194C-6154-9000-00000000FE01}28444276C:\Windows\system32\csrss.exe{5EBD8912-2C97-6154-2803-00000000FE01}2296C:\Windows\system32\sc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001541385Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:31.397{5EBD8912-1A12-6154-C500-00000000FE01}45923200C:\Windows\system32\cmd.exe{5EBD8912-2C97-6154-2803-00000000FE01}2296C:\Windows\system32\sc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001541384Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:31.408{5EBD8912-2C97-6154-2803-00000000FE01}2296C:\Windows\System32\sc.exe10.0.14393.0 (rs1_release.160715-1616)Service Control Manager Configuration ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationsc.exesc.exe start w32timeC:\Users\Administrator\ATTACKRANGE\Administrator{5EBD8912-194D-6154-AD8A-090000000000}0x98aad2HighMD5=BD31EB150F6547D18329E5F00801D1CD,SHA256=8A775B86CE1A057E290CCD26C59C96070684468A3119790743A346CD54F4DFDF,IMPHASH=A68324ADB4F5664AF8A79E04062F4A92{5EBD8912-1A12-6154-C500-00000000FE01}4592C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 23542300x80000000000000001541383Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:31.038{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59AE603FFB8953CC59EB47013FF17B2E,SHA256=02CD040474CE685DE2B798E8656409147768F0396CC13B32DE0318AEB822F282,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446382Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:28.863{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50782-false10.0.1.12-8000- 23542300x80000000000000001446387Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:32.903{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FDCC4702559B73CBBDB829265163B5A,SHA256=DD387B52A847D99603FF24081C38CE8149FBA6F89B7DED4BA4176129079AACC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541400Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:32.491{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=241E123D780A5BA8967CE83B468B61DA,SHA256=9EBEC37C2349ED5E8FCFBE66DB5202BF545F90EDE4A9734C3B34864F8CB85256,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541399Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:32.491{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=90235D321007CC43A2A459E25E281B3A,SHA256=CF3F7C1F16BEB90BB0656F9B7CD40217B8910F5791CE4E05BC5FC8C6FB245D2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541398Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:32.444{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=090E67D2CFA8E8077271225BDBB6FC9F,SHA256=4B5C017FD13A127A77EB981886711F499FB9C6BEF3912ECDD24E2D6751D1F404,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541397Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:32.444{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=D78C23013C9C162E4F4BB45A08FD3830,SHA256=172A626EC923B0919A4F6EE1B31019B242FFA263C372D0A7200D2FE74345DD71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541396Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:32.085{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BF3524B9CD6D95BB93AE19A6DC97EF9,SHA256=17D4A6C41BD8A8B4C2718229541B5D38DF373A5729780D74393B08E0C7FF4DE6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446386Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:30.617{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-13643-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446385Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:29.293{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-4659-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446384Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:31.997{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C28868134A683DC48F08C05A978CD55C,SHA256=7ABA28CB35A168F87812D15BB194C18B1CAE646EB47CAF65370FC212B1D06EED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446389Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:33.950{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A584CBE69A0E99AAAABE63906B0F457C,SHA256=6735A86C0E313DF1F3F5A0992D11406AC3CA8EAB7D4DE95A8128417F5ADF9A2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541402Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:33.788{5EBD8912-18AC-6154-1100-00000000FE01}444NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=033404588B66CDCDCEBE2058824B8913,SHA256=F2CA34498944616A0439F323D82C6CF65FB4A4E0B674A2194AC0BF2A6F712FB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541401Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:33.132{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E58E2EF1AC5E97604AF397B1683B3DB,SHA256=5CD79518354CBC4282EF1AF6C9DE2A095C44ED15C71EEC48C24FF872410B9F5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446388Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:33.091{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9683858DD29CC9A386A82D0A341453C9,SHA256=2FC229BFF0591DC96B6FD38FEF1A240D93CFCEE3D0403A67F730A31066F71DEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446395Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:34.981{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82B070CFC372691B45E2F7BDC18F8BDC,SHA256=0E780C36A6DEE0B9279436405D3BD24B5F6E5DC0E35A16B9896A6261639AF4BC,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001541414Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 09:06:34.757{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001541413Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 09:06:34.757{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x004e4644) 13241300x80000000000000001541412Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 09:06:34.757{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b508-0xeb525a81) 13241300x80000000000000001541411Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 09:06:34.757{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b511-0x4d16c281) 13241300x80000000000000001541410Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 09:06:34.757{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b519-0xaedb2a81) 13241300x80000000000000001541409Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 09:06:34.757{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001541408Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 09:06:34.757{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x004e4644) 13241300x80000000000000001541407Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 09:06:34.757{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b508-0xeb525a81) 13241300x80000000000000001541406Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 09:06:34.757{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b511-0x4d16c281) 13241300x80000000000000001541405Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 09:06:34.757{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b519-0xaedb2a81) 23542300x80000000000000001541404Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:34.272{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B0869A0B6D8CE95A30E9826E455B92C,SHA256=98393D45A1AD83DE96C7C2B4824DC11395A9F6122AE9D54ED88B3D2CE4E3F310,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446394Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:32.801{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-29920-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446393Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:32.345{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-52044-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446392Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:32.309{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-51950-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446391Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:31.697{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-21930-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446390Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:34.263{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=14E5A80D0BC17CD59A1E1C2D6ECE883F,SHA256=094F510CD8E2D41E743213787860B14B476D9F7824B0818154AAD0E26C3AD35D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541403Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:31.420{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65136-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001541415Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:35.304{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9495075617DBD94A76400561D9AD7A8,SHA256=E69001133D5B14C7A1D8B6AFCE4BBE097EB39F999789F331DAD1124B73578EFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446396Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:35.372{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CED2F756CFA6CCA831A95674CA9BD14C,SHA256=8724F1D092370DC7CD3188D9363F9D04F6723EB497C37DD5504B553CC6077A89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541416Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:36.382{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD04B4CDB034218345444C6FE1521D2D,SHA256=985C403259BBE87300353A059F72D949E84B74A19AFB2C1C7EAC0DDA3E14E794,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446402Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:34.878{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50783-false10.0.1.12-8000- 354300x80000000000000001446401Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:34.524{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-2566-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446400Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:33.973{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-38642-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446399Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:33.447{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-56849-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446398Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:36.466{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4D06A61594FA7B63717887F619B4FEC8,SHA256=6163C54431E2BAA4A9201C865CDD10ABDB44EFF5A0CBE0BB06E0931074EF38D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446397Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:35.997{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23DEC855889B622583F27C1A9470A75E,SHA256=B1559EC325D55CAC9535E0991EDD9BE022FAAED8B471233D22111FA26DE5FBB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541417Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:37.382{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E780A73ADFE737C7080EAB3CFCDFE603,SHA256=1620726F001D19DDD0C0424CC811D22529329FD0A0950A4C3DB3F8B51381B0BD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446407Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:36.166{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-55120-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446406Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:35.602{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-7074-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446405Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:35.086{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-47202-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446404Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:37.575{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=577025D0B11DA970CED622750ED25C01,SHA256=444082975AFFA9178E486ABF0AB568A51992D40125655632B688A464F0AF9594,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446403Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:37.044{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3179A93908BFBB89D4264E16768937D3,SHA256=7CCAAEE8EF27F79014BC19238403D9D7875D0E8041AE5F848CAC353490E1D5F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541418Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:38.382{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=888FB34EC42FEE8A9557196C9431C644,SHA256=E53AE9BE5676461FB4857619187213C90390BE93C65545A27D9014D296977A91,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446409Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:36.692{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-11799-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446408Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:38.075{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71C13E66233F1B28CECFD8CC08DE9E85,SHA256=A2E54BC9B7A9E949AA55B8FA7A843D1CFDB34A725AA79381EB26C1E33C4959F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541420Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:39.382{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57F3803B3549F89A740F1717D92D7C99,SHA256=3D1E5FA2B77A9881B36F119FAAAD93276F1DFDB6907716CC202BE3F08EE1A2E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446411Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:39.294{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=069B8751ABD7EB7F51B1DA133552B040,SHA256=ACBA38B9DD709C5433DF3647417FDE5C09DBE9B804D0EAD18E63F59925818206,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446410Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:39.106{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6F53A8B1C0A5F2E8CF33634F79215C6,SHA256=ED02AC887A52EA913D2BF9BF784F9BCF82231A6706B7320C352535BCBAA7194B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541419Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:36.560{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65137-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001541421Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:40.413{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC9B19B3F5D09325AA742D52979FA777,SHA256=5D7F236E10BE63A3DB634C8BD09030AB35CF75A1A0BA4DDC8E378F0CF443CF9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446415Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:40.388{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A11269C2C05D2629398A4033BB9CF1D1,SHA256=9CF618521DBFE09568A0602AA3DE461619E6BC880A6F14C39BF336D60B580AF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446414Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:40.122{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34F273180D29A3524115C20118C7658D,SHA256=7C86A304F27F746B2DF8F5DE9DB6C52A049C865C38A52E5291D6EE26423823E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446413Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:37.888{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-16726-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446412Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:37.289{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-3958-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001541422Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:41.538{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=370FE7A605BF0626B7F74EBAF758DA5A,SHA256=DA3ADA11A6B17DD928DD3D7B2B0D55D0748023C9FE3B0C8F3DB5261A82CFA0AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446419Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:41.497{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8773A5B2B3AB3E2DFC8699447F5D7B40,SHA256=0611F13F4C865E1DC5540FD294AB821C3DDF00B9CB11B5DB306BBC5EE5524A47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446418Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:41.153{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFDCD1D6F13331EEA25A9CDA69CE45BC,SHA256=C02B47C7828FA8AD6CB7C2E5A75637AD999D4BBE710987CB7CED8C466A2E610F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446417Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:39.023{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-21686-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446416Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:38.993{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-16094-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001541423Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:42.538{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5E0AA5E7FA2D0F7326BC82A4EAB1116,SHA256=A74FA4B6B944C4B6B75599DE98428DB08FD6635691D7B7B12C67438091E16369,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001446436Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:42.763{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2CA2-6154-ED02-00000000FE01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446435Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:42.763{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446434Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:42.763{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446433Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:42.763{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446432Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:42.763{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446431Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:42.763{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446430Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:42.763{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446429Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:42.763{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446428Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:42.763{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446427Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:42.763{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446426Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:42.763{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-2CA2-6154-ED02-00000000FE01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001446425Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:42.763{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2CA2-6154-ED02-00000000FE01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001446424Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:42.764{69CF5F33-2CA2-6154-ED02-00000000FE01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001446423Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:42.622{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B44955DED0CBF7F71FE7277D770F0FC5,SHA256=D6FA6C94790871DB707B572A7A1DFCC3984F7425FBE9E2118135819C01048CB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446422Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:42.169{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B570D4E1F540838EFBCB7508A5C10F4A,SHA256=6BBA2FF10BB949553D4AF7C5718A25A9BEAA80ABDDC15EC8C13937CEE6046672,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446421Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:40.146{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-26479-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446420Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:40.089{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-24086-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001541424Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:43.538{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64F0E528E2D2327DCBAF5B39229BB18A,SHA256=674407A2FF07A6E2E858364A770EF015029AE9B805685823CA815981D7FF09E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001446470Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:43.997{69CF5F33-2CA3-6154-EF02-00000000FE01}22721920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446469Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:43.763{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2CA3-6154-EF02-00000000FE01}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446468Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:43.763{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446467Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:43.763{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446466Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:43.763{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446465Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:43.763{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446464Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:43.763{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446463Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:43.763{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446462Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:43.763{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446461Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:43.763{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446460Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:43.763{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446459Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:43.763{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-2CA3-6154-EF02-00000000FE01}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001446458Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:43.763{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2CA3-6154-EF02-00000000FE01}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001446457Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:43.764{69CF5F33-2CA3-6154-EF02-00000000FE01}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001446456Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:43.747{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3DF803FDE6C2C9DF53BB0B8857882928,SHA256=A0760AE10FD68FC5FF43E676DF39B75ABB45061D853E2A23674DBE066CEB7021,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001446455Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:43.466{69CF5F33-2CA3-6154-EE02-00000000FE01}1696728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446454Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:43.263{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2CA3-6154-EE02-00000000FE01}1696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446453Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:43.263{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446452Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:43.263{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446451Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:43.263{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446450Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:43.263{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446449Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:43.263{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446448Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:43.263{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446447Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:43.263{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446446Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:43.263{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446445Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:43.263{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446444Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:43.263{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-2CA3-6154-EE02-00000000FE01}1696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001446443Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:43.263{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2CA3-6154-EE02-00000000FE01}1696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001446442Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:43.268{69CF5F33-2CA3-6154-EE02-00000000FE01}1696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001446441Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:43.185{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A3430FA8129BFCA5E458643FE93C430,SHA256=1A7188DA02F613742E432BE80F06D90C2BC257ECFF70A375F71392D974FE7F96,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446440Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:41.299{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-31342-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446439Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:41.209{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-32484-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446438Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:40.722{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50784-false10.0.1.12-8000- 10341000x80000000000000001446437Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:42.997{69CF5F33-2CA2-6154-ED02-00000000FE01}34922256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001541426Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:44.538{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=051427D4FD594603C97EEFB61837520C,SHA256=61F00EFA5D04B54BF64621EAA503912822D1A291C2543FC062E0E5BBDBE4BBF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446486Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:44.825{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=26F3EFA3AB181DA1B7E4F63585C6BE57,SHA256=432A8F245F665EBD8B0410EF1B6082DE785BD834D7F02A2DAD6DCB8E602AD593,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446485Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:44.419{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F24411EBA9C48F3CB77A345391B24667,SHA256=3152AFE9468D4EA1376D457A9F671EA098C64665199E603CD6364AC29CADD2EE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001446484Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:44.263{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-2CA4-6154-F002-00000000FE01}3592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446483Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:44.263{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446482Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:44.263{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446481Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:44.263{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446480Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:44.263{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446479Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:44.263{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446478Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:44.263{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446477Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:44.263{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446476Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:44.263{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-2CA4-6154-F002-00000000FE01}3592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001446475Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:44.263{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446474Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:44.263{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446473Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:44.263{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-2CA4-6154-F002-00000000FE01}3592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001446472Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:44.264{69CF5F33-2CA4-6154-F002-00000000FE01}3592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001541425Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:42.467{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65138-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001446471Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:42.321{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-40599-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001541427Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:45.621{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07571EF5961517C5C2B4052915A256FC,SHA256=CD5D28ED00F4D97E5A649403D9ED664EAAA5EC69748E06FF9F05704E50308C13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446490Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:45.294{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DA4D0DE6C7F8AFE6E5E996B69E11E50,SHA256=28C668A0779B44A69398C54D9791CA352D64F8280223E3AB0BD7C400C51FB23A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446489Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:43.556{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-41183-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446488Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:43.525{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-49428-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446487Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:42.477{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-36522-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001541429Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:46.668{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7DF54F966CDB452728557247B23716D,SHA256=89F5DAA2A968910C19D2ED1E3795C3979349CC2E77698C506940FEDC77A9AA20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446494Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:46.341{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3EBABCB6DADEC4689081C093467FF51,SHA256=0813D91657045D96656DEF8AC55DAA96354B50EE333A3860BC08C0747C02416A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541428Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:46.058{5EBD8912-18B9-6154-2900-00000000FE01}2960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446493Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:44.664{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-57399-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446492Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:44.651{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-45775-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446491Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:46.013{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=776E020691BAF8BA8A2B4B727EA2DC67,SHA256=782A0DF2B8328A5B494F81831996B15583CA4A34677B520772C805F23BC40F87,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541431Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:45.362{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65139-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001541430Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:47.668{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0AF7C23DD896AF8574A28B84111DBD7,SHA256=C57D5A2637734C6D3F0351F536C52FC52F2534F8C2FA82E94AC0C601322B471A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446498Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:47.372{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=061384AB11E137AF54B4AE241C8E5BE7,SHA256=B545407472D4E4E55296765AE55CB6A41DC2AFBD66EA08CE1EE7B47DD21E0948,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446497Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:45.555{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-14428-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446496Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:45.528{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-14183-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446495Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:47.107{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=32991821341715241B4C6D1DDE40F1F5,SHA256=707A58CEF5FA0A35B5D5399F40FEDE8738B79822F5BDBE10EDD0718DD9206E79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541432Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:48.700{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60E1DD4E950A7636E514E857AF0294C6,SHA256=BCACC6CE47340C3FB0F692434C3D3F2DE5D2171BAB3C4859A2EB7F40C4098C51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446504Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:48.388{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F0316DE103B205FD591FB4ADE43ABC9,SHA256=79C4241009AC941D463415216798A541E4A9133AC32B6B61A695B643EA1D785A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446503Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:46.634{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-21417-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446502Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:45.925{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50785-false10.0.1.12-8000- 354300x80000000000000001446501Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:45.795{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-7146-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446500Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:45.727{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-50369-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446499Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:48.169{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9599C71B8727CFB37F334413D76239EB,SHA256=6A9C9FAC65AD38AB050AFD60D76E23482FD210D0E87BD41C5DABA52A479378AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541433Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:49.716{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D143A1E27EE8F5D6D81CF8F18821F0C,SHA256=135CB6B9513673CEF3F62A59A5493896D127FAE9F4BAB71E0A3B09330B7F0F36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446509Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:49.404{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C851D43C92FD28D1DBDB6C5F6FF264E,SHA256=B6D61FDD9E381A9AD17A36C5844A889874E58DE3A6A23B2B5F567E704C267DBE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446508Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:47.727{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-27966-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446507Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:46.915{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-15715-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446506Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:46.805{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-55077-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446505Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:49.279{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B098B89CC3F771926A8EA8A242766A64,SHA256=1B6D29C71887C3896B6E25C317A568CE32FDA6CFC9FA6793BC4C772BBE43E0F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541435Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:48.347{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65140-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001541434Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:50.716{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB08067A3A8C6B03AC7832F50914EFC9,SHA256=415F451BBAAF994309EE0A8DF473493ED83F90AE0DD03B76389ED7C03E19E2DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446513Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:50.435{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A93D6A2687CAF59BC84BEC529E97477,SHA256=203D83BCAF7E2293C1D470E51183E864B9F4C33E117C50C4A39AA689534F3DD9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446512Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:48.054{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-23274-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446511Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:47.883{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-59691-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446510Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:50.404{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=50448F6FDC7ABDF6F3BF9735BCCA1262,SHA256=1166A2D4CA52B6B7C6AADEB81946922AFED365205351F2C0A15DD73476D0714D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541436Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:51.716{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53C53901F658A09CE729C7312332A737,SHA256=EA11359E6C8C3BA2E9B4A6F96C978E5051F0F5F3E3FC8E96E62A47165C4EEE09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446516Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:51.482{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EEA6E9EB6D80A17658F39BC0B3C73A1C,SHA256=FE7DC899AC5A2486385D1EDD2D52B313F7E348A29DF136F3AC7BE15FBB48E2BE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446515Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:48.836{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-35031-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446514Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:51.466{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17CBAD66639EF0D8C97628A6A96E4F4B,SHA256=A61D6B183E57E9400A74CF7CE0A4EE19C08382A89797F7DCC3F9FD3FB966380D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541439Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:52.888{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BC82F4389AFF56E4B1EAEE07B0D02631,SHA256=2F9591000B12603F322D1039EA30A98183AE0D74FD4EBD0C7E4B16E529CA3BA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541438Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:52.888{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=241E123D780A5BA8967CE83B468B61DA,SHA256=9EBEC37C2349ED5E8FCFBE66DB5202BF545F90EDE4A9734C3B34864F8CB85256,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541437Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:52.825{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=571C370A1795CD6C4943314C89070186,SHA256=346B5FB5110AD62E00133C66AFB33E3FB8929E2BC507CD6A9C067E041E5CB179,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446523Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:52.529{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3BFEFBB54359174E772E1B0C818785CB,SHA256=A919ED0CC1A104120E8886888E53307A29D9F4906820EB9038D08CC839A80921,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446522Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:52.498{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D5BAB85798A9A57F740D75122842C0B,SHA256=E662CAE1E3876503E1AFA49A5FFD82CA93F38A4DE87A7B314736CCC058E40A49,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446521Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:50.321{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-40048-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446520Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:50.101{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-10335-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446519Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:49.929{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-41823-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446518Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:49.210{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-31969-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446517Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:48.992{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-5521-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001541441Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:53.981{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2ADFA8428B80B5B737D4AC919C162B9F,SHA256=6259846D3F09289278926D73B9BFDCE864449EDC4E4BDC87D915C2883BF40F52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446529Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:53.685{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=070123BBFED5BD8CCEC32D4128A25E2F,SHA256=868E1F23A559D5E10A8A7997859408FC9ED77135C6AE6D4B4EFE213157B8CF48,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446528Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:51.893{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50786-false10.0.1.12-8000- 354300x80000000000000001446527Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:51.525{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-48717-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446526Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:51.180{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-14957-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446525Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:51.055{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-48909-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446524Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:53.498{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EB9B4C96946EE152F9519E49F37BEAF,SHA256=141839A69423E305684901707FF306847F686732975FAEBC31DD4E325E26BDA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541440Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:53.966{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BC82F4389AFF56E4B1EAEE07B0D02631,SHA256=2F9591000B12603F322D1039EA30A98183AE0D74FD4EBD0C7E4B16E529CA3BA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446533Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:54.795{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BEBFD3F8E893CB4E470438B687958CEA,SHA256=7748DBE79423C790CD05285C13590391E41A0C301FDB574F062CFC3DB1234F44,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446532Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:52.270{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-19541-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446531Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:52.232{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-56077-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446530Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:54.513{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC59ECE04A45D206985BE848D5D8B761,SHA256=456225B57EDEAA8F6E1BD78F9BB8FB9345450BF30ABC2B8BB11158828E5AB6F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541444Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:54.062{5EBD8912-18B9-6154-2800-00000000FE01}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210929074147-082MD5=A9A42281E5AC80C7384A9CB787C868D0,SHA256=3FA67950307563E8508E097058F58FAD833FFA00CAA097776E12802F7A654FF7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541443Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:51.112{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-1289-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541442Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:51.073{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-1207-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001446539Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:55.888{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1167347891B0E73783D518B1777CD9D1,SHA256=3578AD90D66C6CCFD40EDCE1610284D37655FE3912DFBC7B8D66C930EE688B98,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446538Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:53.766{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-6562-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446537Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:53.522{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-4821-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446536Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:53.383{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-24393-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446535Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:52.680{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-56951-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446534Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:55.545{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF58DE76E4325B2BBE52DC9A788CF148,SHA256=92B76A753EA6AA99AE14F3C07621455349D794B7FF9BCC17C4A8050324C02EC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541448Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:55.136{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=949F969C153DA508AD446E80012C2F01,SHA256=A8AC4AB8E8F497092C4265DC6497E6700537C2BB3DB0C54C3B7002CB829F0BA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541447Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:55.076{5EBD8912-18B9-6154-2800-00000000FE01}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210929074145-083MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541446Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:52.227{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-5907-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001541445Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:54.997{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8782E6939BFE855C10326C3C646DEC3D,SHA256=F53657017FD9AF0AC643FE780948376CE008D92447FB8593822F4EB19BC81783,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446544Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:56.982{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3F392E830C8D55210495372436B5EAF2,SHA256=AD77FCDD9F08417805C12E69DD56A6117A6BA64B1BE77D01278F468ECA23B49E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446543Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:56.592{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42C6CAA510349482C3FB442673D30989,SHA256=3A3D9B7A872B05C1D3A8F31B058ED3A258561F4FCCB02DE024F974384875DB38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541452Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:56.217{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=66D9136C71CDAADF2435849EFAD6C7FC,SHA256=BCEE64431C8900D809F990E810763A19F50E43CCD0EC1524B9FE16B9EC84415E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541451Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:53.550{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65141-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001541450Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:53.308{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-10698-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001541449Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:55.998{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A3B7FBF416FA7F0150434A8D9EC3208,SHA256=486CF0698E40027E4345CCB44618FD50F052C2A4F4EF3131D7526BDA3A9CB6D8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446542Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:54.917{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-14835-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446541Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:54.649{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-11944-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446540Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:54.492{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-29169-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446548Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:56.044{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-23566-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446547Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:55.759{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-18997-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446546Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:55.586{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-33976-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446545Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:57.592{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0B84EB654F8A100F2F2774EC0EFDBFE,SHA256=79F42CE8BF6539DC2BD6D2F24E17F0ADF6CF1B7ECF8A1DB95F6D7889450FAA2F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001541463Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:57.623{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2CB1-6154-2903-00000000FE01}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541462Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:57.623{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541461Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:57.623{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541460Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:57.623{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541459Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:57.623{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541458Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:57.623{5EBD8912-18A9-6154-0500-00000000FE01}4165172C:\Windows\system32\csrss.exe{5EBD8912-2CB1-6154-2903-00000000FE01}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001541457Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:57.623{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2CB1-6154-2903-00000000FE01}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001541456Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:57.624{5EBD8912-2CB1-6154-2903-00000000FE01}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001541455Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:57.311{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9E14AC248985B41ADE8985AAD7361747,SHA256=936649BD0C3D2D35C365D31F8DF4CAC5A95FC616FC3BD0F916695D27AAC49D66,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541454Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:54.475{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-15654-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001541453Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:56.998{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=243FD6C9199F8E2AC5067DFC5EF5BBB6,SHA256=F8DCCD9910641A5BA191DD44800C5747D26D1AF875E1CF46A2C40915DE851502,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446552Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:56.837{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-25461-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446551Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:56.680{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-38732-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446550Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:58.639{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01C9E8BCB65A0BA821961E16FC257A8A,SHA256=CA1C8442DA5CD95E4E0CF0B2D6DCF5D72EDD0AF29DA91E947CBD37B5B5AA870A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001541483Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:58.967{5EBD8912-2CB2-6154-2B03-00000000FE01}35443988C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541482Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:58.795{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2CB2-6154-2B03-00000000FE01}3544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541481Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:58.795{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541480Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:58.795{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541479Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:58.795{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541478Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:58.795{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541477Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:58.795{5EBD8912-18A9-6154-0500-00000000FE01}4165172C:\Windows\system32\csrss.exe{5EBD8912-2CB2-6154-2B03-00000000FE01}3544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001541476Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:58.795{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2CB2-6154-2B03-00000000FE01}3544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001541475Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:58.796{5EBD8912-2CB2-6154-2B03-00000000FE01}3544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001541474Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:58.373{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C9FFD573F352FB1388C76F1599B15A50,SHA256=FFDE8878DC3F330EF6324F47EF2AB6D1107FD33863F389C8EE26FEA98BDB5071,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001541473Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:58.295{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2CB2-6154-2A03-00000000FE01}1588C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541472Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:58.295{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541471Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:58.295{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541470Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:58.295{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541469Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:58.295{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541468Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:58.295{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-2CB2-6154-2A03-00000000FE01}1588C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001541467Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:58.295{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2CB2-6154-2A03-00000000FE01}1588C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001541466Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:58.296{5EBD8912-2CB2-6154-2A03-00000000FE01}1588C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001541465Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:55.556{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-20348-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001541464Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:57.998{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=048328865F59D1B6C03F42E8AD1B28A9,SHA256=654CE49E8C99C5F84E97A38B03ADC4A5A74FDB0899BD17AC6699238310DDF99C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446549Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:58.060{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4E34B8AF01601D8133571082BFB66148,SHA256=A0B1251860817EDEEE522758D1F23D29DD1F4312830231203A1C107DE06CCF94,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446557Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:57.878{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local50787-false10.0.1.12-8000- 354300x80000000000000001446556Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:57.758{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-43201-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446555Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:57.134{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-31391-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446554Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:59.670{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=749CF3E54A99F8374544E0AC8E48A6F8,SHA256=9800E233902DCCCB2053DF6C42CBD3058E27ECADC0C8F689D66D3F7A6FFBAE05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541486Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:59.498{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=687583B48122A8F9B049645C4DDE6742,SHA256=5D62B447CE1A0355026D74B28D2B1E302CB0D3604F3CC3F2BA18729D5B29CFAF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541485Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:56.650{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-25086-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001541484Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:59.061{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5844EF7320217D5378ED5EB189881C90,SHA256=8DBBC874A2069E3AF7F8E069AEAA4B72745611AFEC48BC1C09923C071ED223B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446553Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:59.139{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6E45853650C885EF333360739A706A4F,SHA256=5C3194802E777AD3B93F3B7943AF0D4C6F2E05B65E0694059561F3D0EE13611B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446563Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:59.098{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-39300-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446562Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:58.850{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-48051-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446561Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:58.212{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-39448-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446560Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:57.977{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-32431-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446559Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:00.701{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83AE381A7C4EAAC660052372039B055E,SHA256=CF719D11A1C62CAE5CCA002D16F86C411B3EA0CEF9329345814A5EE24F6643BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541488Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:00.639{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=368A94840F24AD9672EDB86BD34EBF9E,SHA256=9A436DB828169F1C39319E4B528B98630AFD37D184389681249B320725A8E8B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541487Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:00.076{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4CA6719CFC9578B77D496845D137EE0,SHA256=1639F5F6E4E8E453FDE758EFB383FB868C9EC150637DAF03BA58F282826F12EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446558Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:00.279{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=962F6C5D83153C1AE6CFFFEF6C359867,SHA256=9AA75A517842F67EAA8502E56BAB4AEDF8FB4AFA0E6F81A3C46D88F092201747,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446567Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:01.717{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DF1C15F4F5A322286F59FCF44D2D3C8,SHA256=D1135B41D58CEAEB69296B3F9BBAECB292F0B17664AB333018B6D1F5773DFCE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541501Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:01.826{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=965070C9E7D707D8AF016AFCAC85D1FF,SHA256=4AFF9F69539062F24748B9F783F5D7C074763A2DF281197BCBC6F168C9F0403F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001541500Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:01.811{5EBD8912-2CB5-6154-2C03-00000000FE01}31644696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541499Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:01.514{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2CB5-6154-2C03-00000000FE01}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541498Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:01.514{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541497Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:01.514{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541496Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:01.514{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541495Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:01.514{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541494Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:01.514{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-2CB5-6154-2C03-00000000FE01}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001541493Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:01.514{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2CB5-6154-2C03-00000000FE01}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001541492Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:01.515{5EBD8912-2CB5-6154-2C03-00000000FE01}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001541491Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:58.867{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-34569-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541490Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:57.752{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-29831-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001541489Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:01.076{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01578DC91202595C3858A652D4AE231A,SHA256=78657A78E0A8EAD5C0E8089B97346B88595DD7D343DACBAB5F86F0222D1C18B6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446566Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:59.976{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-52774-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446565Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:06:59.414{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-48531-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446564Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:01.357{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F3EC51F82ADB6E98D909DAE8316D965C,SHA256=552784B794B5A2398E428E34FE5B82785C66587AD6BDB3CF5B5434D85526FF74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446570Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:02.748{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD2257E40E279C14E6387FE3B4829DF0,SHA256=4EB1EDF6566890C9002515E7F5D31F2B8E08723FD77C8BE12CC1F122C65EA2F1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001541524Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:02.967{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2CB6-6154-2E03-00000000FE01}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541523Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:02.967{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541522Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:02.967{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541521Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:02.967{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541520Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:02.967{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541519Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:02.967{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-2CB6-6154-2E03-00000000FE01}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001541518Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:02.967{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2CB6-6154-2E03-00000000FE01}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001541517Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:02.968{5EBD8912-2CB6-6154-2E03-00000000FE01}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001541516Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:02.921{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=22AFB6412E550254D475E7146A2FB6F3,SHA256=5E987052D09C08280FC02F21F23D0AF02E38DADB5B5700BA4D056CEFE3ED972E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001541515Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:02.483{5EBD8912-2CB6-6154-2D03-00000000FE01}8603260C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541514Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:02.295{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2CB6-6154-2D03-00000000FE01}860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541513Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:02.295{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-2CB6-6154-2D03-00000000FE01}860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001541512Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:02.295{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541511Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:02.295{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541510Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:02.295{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541509Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:02.295{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541508Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:02.295{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2CB6-6154-2D03-00000000FE01}860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001541507Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:02.297{5EBD8912-2CB6-6154-2D03-00000000FE01}860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001541506Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:59.978{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-39348-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001541505Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:59.489{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65143-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001541504Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:59.349{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65142-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001541503Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:06:59.349{5EBD8912-18B9-6154-2700-00000000FE01}2944C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65142-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 23542300x80000000000000001541502Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:02.076{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8E7D18E5A952A0A24277E3F3F32129C,SHA256=F8B6A42E391423B990B8510435B6032FB0F3ACB3632970F5C7ED260B7EFC4435,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446569Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:00.370{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-46806-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446568Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:02.436{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1F21069D5DC41162A52DCFC968DC6A96,SHA256=DD2D61C5880D40DFA816212BC53640A82EBF289AD535A3A24DC9F66E1A9B30E6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446577Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:02.133{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-3022-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446576Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:01.649{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-6009-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446575Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:01.446{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-53613-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446574Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:01.054{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-57392-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001446573Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:00.543{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-56820-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001446572Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:03.764{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78CBC23569FF10D37F3113BBD6D189AB,SHA256=DDA986CF398474D5B665C81D2B69800D7A7A0761F4BFA460D3AA0FE12F1AA628,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541528Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:03.967{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ACF54E70FA82753DD985D197C18ABDED,SHA256=9DCCBD34EA1352126967D2EEF7E29720C27F8E68DBE075C7AC35BFC974148928,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541527Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:01.168{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-44424-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001541526Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:03.139{5EBD8912-2CB6-6154-2E03-00000000FE01}58242520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001541525Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:03.076{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B884444B6000DAA27175D7E0C78C5BA6,SHA256=4A5C28FD4F2379D1B809E8726C07184A8D56EF660384AE306EBF9DC50117C2CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446571Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:03.514{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2093F918F4989D212DA7456D494C9DAC,SHA256=3D5596405AF85DCD0730AB63099285915FBA127120BAC3E28CC4BACA7BAB34AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446579Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:04.951{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=621B6AFAC0136D3F5E4E06A1EFD85FD4,SHA256=4443B1B9A0FB69E2CC29620BE1C4F7969B8FB4363E7A4547960927E5BEEC008A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446578Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:04.780{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F235BBCF695F08AA7DC9F438DCC40E00,SHA256=F038E4AD3FD60E882488A41C6F3E44F7A6937A36F616DBC4D91D9BAABC55CD9E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001541537Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:04.623{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-2CB8-6154-2F03-00000000FE01}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541536Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:04.623{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541535Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:04.623{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541534Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:04.623{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541533Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:04.623{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001541532Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:04.623{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-2CB8-6154-2F03-00000000FE01}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001541531Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:04.623{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-2CB8-6154-2F03-00000000FE01}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001541530Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:04.624{5EBD8912-2CB8-6154-2F03-00000000FE01}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001541529Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:04.092{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F57CA8BCD7540EBDA60D0474F7D4EE85,SHA256=BCAEC707353CC7E3DDDF021732D841607C883EC32BD16A95B5C15260B6D13F28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001446589Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 09:07:05.795{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8662571E52849402E33D8388D239983C,SHA256=942AA423890CBA7F8473693CCD5AEA9E5D730566D354E2EF60D02568C7C3E45D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001541540Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:02.274{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-48938-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001541539Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:05.248{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=168725616A372ADF4A4455E101A81E35,SHA256=0674A9D5C25E8613F3B27C5DBCAABEEC0FA643AF4B8D2515340180F31D45B8AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001541538Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 09:07:05.108{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B08413DC59A62122B751C06CB4988FAD,SHA256=A45D6BD3B6FC009C16307A3E9B7C6502F81CDE010399901E999497B5BFBDF9D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001446588