354300x80000000000000001463227Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:26.957{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-34652-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463226Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:26.908{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-31354-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463225Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:25.855{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-28693-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001463224Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:28.479{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DA92F1C30FE9B86A1BE2B526B02E08B,SHA256=0F8F067E995F82147FAD671BD5C2186E437B442280389D348C950B8D601F12FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557285Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:28.252{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A04A53FB2F1D720275BE2FACDA8AD59D,SHA256=B1F6E4EEACD3E6AC4DB5F7A5138579BEE77591F57F4BCEE9C4CC307540905839,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463223Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:28.339{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3AA1B88F8EEB0E057649D1D63D8D9608,SHA256=5B20FF70F5BCF6C08D01A19A8ECF14299B1B5C38586E9BF7874EFCCAB39E2421,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463244Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:28.067{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-40487-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463243Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:27.780{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51574-false10.0.1.12-8000- 10341000x80000000000000001463242Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:29.682{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-3B95-6154-AE04-00000000FE01}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463241Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:29.682{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463240Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:29.682{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463239Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:29.682{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463238Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:29.682{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463237Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:29.682{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463236Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:29.682{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463235Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:29.682{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463234Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:29.682{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463233Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:29.682{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463232Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:29.682{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-3B95-6154-AE04-00000000FE01}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001463231Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:29.682{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-3B95-6154-AE04-00000000FE01}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001463230Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:29.684{69CF5F33-3B95-6154-AE04-00000000FE01}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001463229Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:29.511{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4022A7A53D9D5A16CBD00F0F77C3295C,SHA256=1679DCEB4B38A6C5B2B0DA9ADD3ED8951498B7CE7B0711D9A902FBF606EFC5E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557288Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:29.254{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60010F92FBDBC14B80820A0F67B9C75C,SHA256=71C9EF38E116713E9B047E93685FA50A556D9F427AF5095CE9B55EC9527EB5B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463228Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:29.417{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31CA7E4767DCA62574B1FA13E9690F16,SHA256=98F2533927120C5F37F2D298F0BC1FAD23E12D1C2858DE543574934F5F925A67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557287Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:29.148{5EBD8912-18B9-6154-2800-00000000FE01}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210929074147-144MD5=A9A42281E5AC80C7384A9CB787C868D0,SHA256=3FA67950307563E8508E097058F58FAD833FFA00CAA097776E12802F7A654FF7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001557286Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:25.414{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54174-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001463247Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:28.391{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-37722-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001463246Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:30.526{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1004BF376505CD0E5CB9953F8E177B1,SHA256=D950157CDF19DCE42F04DC304B290414C947A177C4ACD6177DD3434325B51860,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557290Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:30.268{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8653606B970372BED001EE536B53262,SHA256=2C858A4C4F8620B7E7ADE88C938C8A89843C28AEE5B8CB4E91DF4C8513DE5DC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463245Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:30.511{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=093C817F4E7767547F68B666E7143BA1,SHA256=C134F062DFDD4D549740720DACA70C3180CF8F372061F5AF299E4CE4B6A61EF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557289Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:30.161{5EBD8912-18B9-6154-2800-00000000FE01}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210929074145-145MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463250Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:29.144{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-46156-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001463249Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:31.636{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B8B4222F084135D886230114BBC614E,SHA256=0AD252B2D6E9B23C28629D35E240401909FE09DAEB39452C22D0A8280A33A646,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463248Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:31.542{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E1B22BB4C61FF6AE490B7CD2C0CA0FE,SHA256=7976AB534576F6138C5A97C0B9A1B46E5249CC61BA7242E0FE737C997CDDFE64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557291Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:31.271{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1463EEEFBBA2D273CC325C65AFB8E5BD,SHA256=D092DABD1039944A220FE48AD05B7EED8E37CACB3DC6B76C68BC738D73FE4E46,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463255Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:30.569{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-47993-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463254Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:30.254{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-51932-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463253Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:29.469{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-42836-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001463252Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:32.761{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2789BC3483CD105EE73A2171655FA4E9,SHA256=795E6055FE163B50D1FD65F4618D3CEE834B4D604148D234E7B0C8D7F7826D32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463251Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:32.557{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6F7D13264AB36C331CD657C583408AD,SHA256=9BBEFD4150095CC170E058527B8AB6BA088448A02792CA44F8151633C853DA3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557292Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:32.271{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45522410974FA5C824218F3505B0867A,SHA256=95994FB5B4D5EC2701B16069B0BE34757767CDD12AB8742441491CFB0D5537F0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463258Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:31.379{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-57789-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001463257Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:33.886{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5DC324E31C96B3EE9B8F3A262D8D738A,SHA256=E17547BDB737890017499E8CB0A539B2CB1E472E6EAA436F38518B56DB86FC85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463256Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:33.573{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C966F5BC327026B197CD9312EB0D201,SHA256=2FFBFD6E18C81853B5D6B56C6DFD333DC210E0C503F13D995F66548140E1A502,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557294Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:33.287{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD25426B471A6EED1AE0FEDD296AC370,SHA256=EBEFC1D2A71E71B62E5AEF2444A895573BE2B55F39194F8C2FDD8575367CA754,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001557293Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:30.497{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54175-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001463264Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:32.904{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51575-false10.0.1.12-8000- 354300x80000000000000001463263Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:32.783{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-58508-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463262Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:32.500{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-4840-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463261Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:31.684{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-53203-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001463260Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:34.964{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=14436FABC3CD5C5DC5BC634AE6409899,SHA256=53619A044435BE432963BC69BC21B682A3A96BBA1AC456DF6A1A32DB2964E6F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463259Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:34.589{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDA838AA1C025B0F75683BEA826074E6,SHA256=493C365317C82D30DFB44742CFB1EF8F407781369E62DBB38C33E801949F91FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557296Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:34.396{5EBD8912-18AC-6154-1100-00000000FE01}444NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=5A411746E0F3070FDE047CBF8951BBC1,SHA256=7276081B7F06877D897C6EFFA0A5481724FBC3315B767361808A9EE3F20BCC3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557295Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:34.318{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F8BA0000924B7CE2F40FD2AE1C9EE9C,SHA256=D72F051E904F1FEE57141A040AA744D6CB6542171F7AF5F8DFDF827B74EE5F78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463265Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:35.604{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6A7544EB042816B85FB4425246B558A,SHA256=5874B757A1DFD4E97925B1712647D9E54F49471F00C57D8E9E4E11B98EF8BB70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557297Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:35.412{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99CA8EBA4A066BF4D674C5A5CBF75890,SHA256=36E7FF9EEDA13529CBEABD79D981B0AC24FC953BFF0E30EC104494308CF36625,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463269Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:36.651{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CD52A47985C167563DAC2FCF826C8E7,SHA256=CAC5762C427091AC9199BE58BC88DCDD7594DA444AD49B48420AC153DA3247AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557298Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:36.459{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88806585FBE84222FEA0316D441D515F,SHA256=964F26C42EBF05623A58B5DD70E02B3CB8F803481427406DEB8EC38664E262F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463268Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:36.042{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6157BD10F07F9BBDDAF02C57BC6B8D7E,SHA256=73B72A20677828BE84E8E044FDC2F014210F46D3877FD1FAE4A156CB17EEF305,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463267Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:33.906{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-4578-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463266Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:33.615{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-11026-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001463272Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:37.683{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35D92B1978AC9F796805C640FE4C5DE5,SHA256=457F6D22A308247BCDA1249EBB4F301D3BD72D0A4CFB9E84D1BDFA4084CCC613,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557299Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:37.459{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6ACFD89669E0F6B84482C034454D5A2,SHA256=4925FA8F96B848BC5D3229B95DCB0BAFE68E2DB037BC842ECAFACDF635F28C39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463271Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:37.182{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C685906CF9F853B74F589CBA14121C4E,SHA256=530AF2CF4D8762506A4BD3BF46A6A1DD056366E7E93700FAA9CC318683FC04DB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463270Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:34.696{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-16696-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001463276Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:38.698{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=915B52252386A005C551BD8AFF45D60D,SHA256=7C643C0564A14445AA0A5DB6EA9B793D167EA4306729A2476B21F43423C71037,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557301Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:38.459{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51941227C105887937FD0DDB081D67DA,SHA256=3F2C7F0899ED4F31CD5F336558AB092568CE397199B904906869490E424A2EF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463275Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:38.276{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=78D4F756F7CB9C2611107492706DFD01,SHA256=DD83B67D34F1A324F39AC62868296A223E3D1983A61956FD332DBA425419C56A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463274Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:35.799{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-22490-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463273Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:35.037{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-9572-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001557300Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:35.497{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54176-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001463281Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:39.745{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B30A396A6437E7CB23749EA9469BCC0,SHA256=BAFD22D22B54BE39193946C6F855ECF73EB7A4D0BBFED6FF3B667FDA90ECEE56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557302Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:39.459{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=501B1F39FA0E81C0D7E9202F010B6528,SHA256=9363DF1C4A10FC472628816B765C7E7B489B9CA295D9B279C5C61275CF9410FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463280Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:39.417{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C3016F8B53D714904F34182EF1B7F285,SHA256=58369FDD1C0A4E4AB38DC7D0C61022D8E0A460BF155D89445FEEE63A0B4CD71E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463279Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:37.306{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-20047-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463278Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:36.912{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-28519-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463277Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:36.139{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-14665-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001463285Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:40.776{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBB27D1B16C9FF40CDEF6CAEB8923210,SHA256=7085E08A9AC8D8B3E4D20A7C6A517E0B8D7887EB50624D3E4984EBDF362150B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557303Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:40.474{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1FA4E5A1B2479A7A5BEA313664BE681,SHA256=FD552E4470389A754269B035C9E9D22F168825A3CBC9D4B1DD9F0D4E033AEAD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463284Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:40.511{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=864525307D16C87BED3EF06BB7450A85,SHA256=1642EF4A3E674231E2EFF7CC6C1B146F31D39485B8A59002B160E67ECB567481,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463283Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:38.686{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-25961-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463282Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:38.034{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-34158-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001463290Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:41.792{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A039AEBEADDDADBD0BE39469D7363253,SHA256=98B6B9468D6140EFA03A18C6859D40976E0232B12A71024D836D5741B93AF461,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557304Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:41.490{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28B3381E3F0CF703213C9CE55E68060B,SHA256=80185F658D502686A550760B6479571D0068828A24E81971976588DF6132B686,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463289Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:41.745{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ADD0D6604703152B19F22D6E59C803A7,SHA256=612A084DB1506E7C292BE5F3C51A20646C200CFD9F9C24A566587B1BD700270A,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001463288Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 10:10:41.620{69CF5F33-1899-6154-1400-00000000FE01}368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b51a-0x42435c7f) 354300x80000000000000001463287Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:39.145{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-40219-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463286Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:38.826{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51576-false10.0.1.12-8000- 23542300x80000000000000001463307Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:42.870{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02B4867464AC2CA5D06EB9D909FBE8E0,SHA256=D9F48098FA7E5C50106E663E2E7473A694DADB3146ECEBE98D354E55E593E73B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463306Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:42.870{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8229A5A4F318A59E463AED9ED558C119,SHA256=A363B8B28C85BADD949907EA4EA26F490CE02A592C39B62415C8A3ECB218159B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557305Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:42.490{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADD14FFDBD0A5FBD382BAAAD5A84D2CA,SHA256=71D97AA2552E9545E3126B750684822FD2AB254BFD5A35D9E643CAF2631B06EE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001463305Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:42.854{69CF5F33-3BA2-6154-AF04-00000000FE01}14523712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463304Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:42.558{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-3BA2-6154-AF04-00000000FE01}1452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463303Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:42.558{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463302Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:42.558{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463301Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:42.558{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463300Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:42.558{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463299Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:42.558{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463298Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:42.558{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463297Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:42.558{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463296Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:42.558{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463295Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:42.558{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463294Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:42.558{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-3BA2-6154-AF04-00000000FE01}1452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001463293Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:42.558{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-3BA2-6154-AF04-00000000FE01}1452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001463292Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:42.559{69CF5F33-3BA2-6154-AF04-00000000FE01}1452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001463291Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:39.851{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-31442-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001557307Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:43.631{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C2435B1DE445AB60DB36E3DEE9C070F,SHA256=77442868A0E1BA0CA039DF032BE5793309B51464DDF9A78D53B6289820AFCBC7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001463339Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:43.792{69CF5F33-3BA3-6154-B104-00000000FE01}35443572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463338Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:43.558{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-3BA3-6154-B104-00000000FE01}3544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463337Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:43.558{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463336Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:43.558{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463335Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:43.558{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463334Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:43.558{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463333Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:43.558{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463332Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:43.558{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463331Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:43.558{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463330Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:43.558{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463329Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:43.558{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463328Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:43.558{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-3BA3-6154-B104-00000000FE01}3544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001463327Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:43.558{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-3BA3-6154-B104-00000000FE01}3544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001463326Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:43.559{69CF5F33-3BA3-6154-B104-00000000FE01}3544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001463325Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:43.354{69CF5F33-3BA3-6154-B004-00000000FE01}40642944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001463324Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:41.748{69CF5F33-1899-6154-1400-00000000FE01}368C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-542.attackrange.local123ntpfalse10.0.1.14-123ntp 354300x80000000000000001463323Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:41.485{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-52358-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463322Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:40.937{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-36525-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463321Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:40.362{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-46406-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001463320Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:43.058{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-3BA3-6154-B004-00000000FE01}4064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463319Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:43.058{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463318Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:43.058{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463317Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:43.058{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463316Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:43.058{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463315Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:43.058{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463314Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:43.058{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463313Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:43.058{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463312Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:43.058{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463311Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:43.058{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463310Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:43.058{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-3BA3-6154-B004-00000000FE01}4064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001463309Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:43.058{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-3BA3-6154-B004-00000000FE01}4064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001463308Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:43.059{69CF5F33-3BA3-6154-B004-00000000FE01}4064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001557306Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:40.544{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54177-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001557309Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:44.631{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E4B05E0CEF6E123E8A73D9D89D78D21,SHA256=B756F9EF0BE42C0DC5F273EAD36B352DB7B345D48263D415AA2C5BABC6F4BF7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463354Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:44.354{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=937AC18238FFC24EE642268321CB4CE4,SHA256=C1AB5366E94FA811379D48A257007B74D2A0403EADAF6DB153E08276BA64A628,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463353Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:44.354{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED65BC99BD109B3A95F35CE115D02EB8,SHA256=4A73CD95A0AB8EC8FB231E4162E919FECA6C6A8C09C1133378882E42AF017EA6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001463352Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:44.058{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-3BA4-6154-B204-00000000FE01}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463351Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:44.058{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463350Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:44.058{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463349Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:44.058{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463348Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:44.058{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463347Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:44.058{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463346Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:44.058{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463345Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:44.058{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463344Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:44.058{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463343Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:44.058{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-3BA4-6154-B204-00000000FE01}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001463342Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:44.058{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463341Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:44.058{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-3BA4-6154-B204-00000000FE01}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001463340Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:44.058{69CF5F33-3BA4-6154-B204-00000000FE01}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001557308Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:41.410{5EBD8912-18AC-6154-1200-00000000FE01}452C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudpfalsefalse10.0.1.14win-dc-429.attackrange.local123ntpfalse10.0.1.15WIN-HOST-542123ntp 23542300x80000000000000001557310Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:45.631{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04EFAF34538EE5CD035C7D69707472AE,SHA256=891CF7A2E62DFEF7804AF14AF2E4BA0388FD320C4DCE12E9B2D5DEE175E50ED4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463358Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:42.614{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-58488-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463357Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:42.144{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-42110-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001463356Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:45.276{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E6FFA8D09B8012D25C45A1B05157A0FB,SHA256=9EFA09C36CA0936614E0CFBF70138A89C32A3D92D68D562B8988175ED6D89DD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463355Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:45.089{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32759A01C83489DD70F80FE545812B0E,SHA256=54DCA540F925111AB6B3ED5151D727A60D0F680374292305DF34DC2B7026CE1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557311Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:46.631{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A9CBF9D7F667BDFF086C4F4B04778AF,SHA256=563C398B11159D5E94AE9D01F1A78F461BB4C7AC988D2C075D4243894D654EFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463363Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:46.933{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9955242C2C9E4945B75AA42646138925,SHA256=3A3F1357A1991A7EF1B180AD1FC769381A33D37C9AEF65BCCE5504ABAF6EA9DB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463362Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:43.967{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51577-false10.0.1.12-8000- 354300x80000000000000001463361Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:43.724{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-5395-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463360Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:43.372{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-47476-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001463359Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:46.120{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=977F7EDB5DB00A9DF955FE5F4E62C6E5,SHA256=4E14BACA54EE10BCD6E0C304C4626A80878381E50D9DE2FA24B26140B174645F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557313Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:47.631{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B464C9452383433BD722FA320F7AB34A,SHA256=F17AE70A72F1ABA23B8182936EE7CF616746C84CF32B8704A910B8D82B425ABB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463366Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:44.816{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-11209-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463365Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:44.455{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-52540-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001463364Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:47.136{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=910F2CDD6BB1C8A393E8DC025670E97E,SHA256=2D1E7746D34D83254D895F5B5F2DB877FA2FFDAB67DD8F8DD5D1AD2BA213FA22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557312Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:47.537{5EBD8912-18B9-6154-2900-00000000FE01}2960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557314Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:48.636{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F4EAE9EF3F4002D31CB176BEDD9B03A,SHA256=CB2118256B883F5C6D25EF02BB352BE8445B6DC9D6E2B370054D9400058F0CC7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463371Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:46.657{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-3764-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463370Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:45.895{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-17030-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463369Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:45.578{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-57638-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001463368Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:48.167{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B22C659389AA16E3F1677473064EEF6,SHA256=E7BFB625C5124667A352529181A928B1A488727F41B3A7A98A62B352280292DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463367Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:48.011{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=86FDBD7BCF7036104F3B9A52E2EAC174,SHA256=76FADBE0D3502949EA969B187F0A8D6486466FE0D37C70D410F347B19E9F3D2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557317Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:49.636{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50C22817E340AB2A67B50271FC3476AD,SHA256=B2C3E62219D8B12A0A5F2CFA88A40BF38B50BB57C4E5D36EA4E0EAF51708DEBC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463374Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:47.004{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-22806-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001463373Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:49.198{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B8D70FCFCE138656BE5D7E2B840AC5A2,SHA256=2D1E4055E38DC8C8AA77589CDE17241EC0979F19ED84DC4492D179C69608FC1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463372Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:49.167{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B05F9330DFFDBABC6D6612D33BB48711,SHA256=3AFC0C87A6439FE17FF0769517D6E499247CC71FABDB4E85220D98059A81F0A4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001557316Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:46.841{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54179-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x80000000000000001557315Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:46.544{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54178-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001557318Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:50.636{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C7DFEEBDC588CEA63828BA09D996F30,SHA256=366CD72CF62179AA5D3FBB23AA6F65E4DA62C1FB548A737B09C59DA6F0A0C770,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463377Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:47.811{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-8810-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001463376Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:50.323{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=740CDB88DF3E65813E6CE9D296421CAF,SHA256=9500E02813E9E81CB1E6065DC02827E1B516FC42344A60A36F3D94D23776E88B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463375Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:50.183{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=604BFA1170B9FF3285DE7817AD057EE0,SHA256=A691D7D903D396F1239F5290C602DA501CB6BE8CFB3FE83C3E16E78F08C62460,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557319Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:51.636{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2886B11EEE88203C7839A31BC5AB281,SHA256=22BE8C3B95FCC8899C4573475A2AE7A7D1EFB8069261306C4BE29911E53E1373,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463383Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:51.480{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7C0A40E70950899F981781CF2DD4BF16,SHA256=8475B23B0D8994420E29A2235DC1ACB76F6F23FBE702BAF474C51D2020114134,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463382Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:49.857{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51578-false10.0.1.12-8000- 354300x80000000000000001463381Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:49.252{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-34690-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463380Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:48.940{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-13904-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463379Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:48.127{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-28679-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001463378Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:51.276{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C147FCC405A4EDC9D684D3BFEFDD102A,SHA256=EA90FD94545F0CF4D3B0A8BBFC73DA2072845167A756F23EF96E2AF8968CF48C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557320Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:52.636{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65B968F6B1BF8660779AAFF078B2D05B,SHA256=41ABA7F579A447C4708E6FA4BCEBC446B7A7FD329426C4A0B320B24A7E5E7B35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463387Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:52.636{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9C0D94610F1826D5B8CB6A12979206C2,SHA256=EE956071196BFA042F7DAFF120B4AEBC26A7C799044AECBC196D53934BAE5707,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463386Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:50.375{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-40716-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463385Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:50.109{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-19185-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001463384Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:52.292{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5C8EA495BC1957361D4C9456146D793,SHA256=C4BD38A665EAE16D214723ED4A6BA47741058100D385A76865F817C1C94C8B41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557321Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:53.667{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C548B2A55717BCBC03E22A2A1483666,SHA256=E2D5E1F1E4025A1E2F11B137E8D3D61A4BCDBBC4EB2196958F428C1E6A5094FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463391Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:53.745{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=16F73EF85EAE8D2FA0B5B9970712B70C,SHA256=0BBB03C62E46FCF11EA85571EC0E4DE815F5E48B58340AECF79DC3A8BE12A886,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463390Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:53.323{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAE7D4B3675ED716E38A8DC987F3C88F,SHA256=48F8DA65B98342DD2FB5E5E1F4411DCBD68F43704E8D4B71217480A0D24C212B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463389Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:51.503{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-46580-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463388Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:51.272{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-24308-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001463395Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:54.855{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1F1F108709BCAC5B3FAB99C6B2D3AA5B,SHA256=BE49D3C6FB4678D5CA6A7A7B4D43A4E922FB04E35E6062A4DAD93A0853B14AEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463394Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:54.355{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB4B2AAF7088AD868C15788E8F1D4E36,SHA256=BFB066F95A2286E063804CDAD3FFB6541A11B1D5EA29A67A8CF905CD34D22001,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557322Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:54.667{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C24E4F44E05904DD918CFB115732CE67,SHA256=94834CE26115D5CA6F4209CAB4085DA201726B71BC43C081FCF076493B25105C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463393Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:52.614{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-52288-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463392Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:52.374{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-29094-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001557324Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:55.667{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63F96E63FE6DEFAD10487D26B6E0B31E,SHA256=34CE9C35DBFF16A0EE665D6142DF8DC0F22282F9982A25290DACFA1BE7D0635F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463399Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:55.917{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=277F49136E566DA763F8BBD24D8546E1,SHA256=B612F8D3AF66A43492BF86A7008618D6E469BE9B90295A1E155863C81F424700,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463398Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:55.370{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A79C980EFC2766157A21057504C6E8E,SHA256=D5644E84ABF8040ACA406FB9F696233E1F1202E1E66B666998F46798912469F6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463397Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:53.707{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-58212-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463396Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:53.481{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-34370-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001557323Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:52.486{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54180-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001557333Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:56.823{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-3BB0-6154-EC04-00000000FE01}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557332Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:56.823{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557331Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:56.823{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557330Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:56.823{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557329Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:56.823{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557328Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:56.823{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-3BB0-6154-EC04-00000000FE01}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001557327Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:56.823{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-3BB0-6154-EC04-00000000FE01}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001557326Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:56.824{5EBD8912-3BB0-6154-EC04-00000000FE01}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001557325Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:56.745{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD0AD51CDA3B24203FB7210AE60F8C00,SHA256=65F1D37058EFB904861A8E36B78263F6D35FF866239148045898F6A9CBC996C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463402Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:56.433{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9B28E336A2463CC46E412A3F1C9B91D,SHA256=B775C11F6277ABF961B769BC1FBC60DD5BA0098314B226C4EA5AC03F909114B5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463401Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:54.832{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-4994-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463400Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:54.579{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-39618-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001557347Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:57.995{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-3BB1-6154-EE04-00000000FE01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001557346Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:57.996{5EBD8912-3BB1-6154-EE04-00000000FE01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001557345Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:57.823{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=42A249FB9EC4832923E53CC0ADA6CF1A,SHA256=28CA0F7FD2B36C4C86545B8F5A27EAACE85B27E8727B4B3261115248EF112898,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557344Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:57.823{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1B6DA2604BC433C10F5A52B06523C2DF,SHA256=1D8FA61B7E41340914AB0C416CF31267431077C08A248F765FADA90DAC3ED847,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557343Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:57.761{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BEA0B103F6C7A9A5D79715651BFE364,SHA256=4FB1E493FFF086B24B5EA698ED2215A36E8C88DB114016A2308B500F25001B63,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001463407Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 10:10:57.620{69CF5F33-1899-6154-1400-00000000FE01}368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b51a-0x4bccc958) 23542300x80000000000000001463406Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:57.448{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AFD929F84B074E5A23D103B7E15DC75,SHA256=D9BB5B744B8DC623303B050C0FDB67D381DAB8EFE0737F260214A1BCEDEA2882,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001557342Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:57.495{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-3BB1-6154-ED04-00000000FE01}2892C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557341Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:57.495{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557340Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:57.495{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557339Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:57.495{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557338Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:57.495{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557337Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:57.495{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-3BB1-6154-ED04-00000000FE01}2892C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001557336Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:57.495{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-3BB1-6154-ED04-00000000FE01}2892C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001557335Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:57.496{5EBD8912-3BB1-6154-ED04-00000000FE01}2892C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001557334Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:57.011{5EBD8912-3BB0-6154-EC04-00000000FE01}42525872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001463405Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:55.889{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51579-false10.0.1.12-8000- 354300x80000000000000001463404Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:55.668{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-44373-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001463403Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:57.042{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9C1473C096042F552CC397B1D909D50A,SHA256=50D35DBF949A1E7819CEFC604F9F821629F17E4745DF6AB3C32872BA4BF965A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557354Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:58.886{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F8D699E8CE0E130E8FF5CFF3BEA5A7B,SHA256=A1177AE1910B60386F0F19F7CEDE49B7EEAF4D3E764A79D54BD9F7AEE4E9B89C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463411Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:58.480{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=993A331FE74AFFBDEBB630F0D4A5A498,SHA256=9314FE8DC7EA45F3845DD8621B368A00C912F0CD4DD7F760FC99E13DFA5F162E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001557353Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:57.995{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-3BB1-6154-EE04-00000000FE01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557352Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:57.995{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557351Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:57.995{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557350Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:57.995{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-3BB1-6154-EE04-00000000FE01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001557349Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:57.995{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557348Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:57.995{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001463410Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:56.796{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-49349-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463409Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:55.927{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-11137-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001463408Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:58.230{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=330C6B4FA2983F3766FFDBE110C8A74D,SHA256=B0D5EB63A7AA480C6A1301EEB99D842B409139AEFB8B97954A7231A217B82A3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557356Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:59.917{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FB64B605FD1D4A563D049E206B68ED0,SHA256=31FE83599DACED518A2C0B82EAD022F152AA318CF8D38BEAC2BEEB4E5FB316EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463436Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:59.513{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7601D1D0DA6910514B0BEE54582BF9CF,SHA256=DA9DA427052BFB54E8878E6E4419DF5ADEC7FBFA3FE9F7DA58B27A8D541B4C96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557355Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:59.027{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=42A249FB9EC4832923E53CC0ADA6CF1A,SHA256=28CA0F7FD2B36C4C86545B8F5A27EAACE85B27E8727B4B3261115248EF112898,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463435Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:58.000{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-54587-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463434Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:57.968{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-54455-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463433Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:57.593{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-19869-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463432Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:57.577{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse63.143.41.178178-41-143-63.static.reverse.lstn.net43631-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463431Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:57.555{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-19741-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463430Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:57.532{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-19576-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463429Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:57.497{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-19463-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463428Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:57.473{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-19250-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463427Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:57.435{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-19111-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463426Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:57.411{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-18912-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463425Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:57.373{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-18793-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463424Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:57.349{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-18589-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463423Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:57.311{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-18369-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463422Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:57.273{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-18200-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463421Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:57.235{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-17998-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463420Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:57.196{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-17872-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463419Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:57.173{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-17732-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463418Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:57.149{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-17607-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463417Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:57.126{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-17463-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463416Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:57.102{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-17346-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463415Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:57.079{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-17211-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463414Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:57.056{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-17073-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463413Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:57.032{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-16831-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001463412Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:59.329{69CF5F33-189A-6154-1B00-00000000FE01}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210929074117-145MD5=0702FCA431B00B594F1E453E1BACB4E7,SHA256=E8701800C5303E9A26BD1B4295F1925FD873002633D318A1D6DD61AA6CF56A5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463458Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:00.527{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=606F59B23C923F2517BF967B3EBEBD06,SHA256=F5444FC44D92A4C810A3A64C854598895DF8DE95B288A397D89CD3DDA3FFD844,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557366Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:00.917{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=615A3821552036202860EB362B193ABF,SHA256=907D1F50892BC5DD6FE31B0D11DAD5480FAE98AE381268E6E89C570D90A26141,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001557365Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:00.870{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-3BB4-6154-EF04-00000000FE01}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557364Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:00.870{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557363Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:00.870{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557362Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:00.870{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557361Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:00.870{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-3BB4-6154-EF04-00000000FE01}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001557360Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:00.870{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557359Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:00.870{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-3BB4-6154-EF04-00000000FE01}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001557358Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:00.871{5EBD8912-3BB4-6154-EF04-00000000FE01}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001557357Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:57.486{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54181-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001463457Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:58.595{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-57303-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463456Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:58.564{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-57214-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463455Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:58.544{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-57107-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463454Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:58.525{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-56897-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463453Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:58.491{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-56805-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463452Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:58.471{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-56622-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463451Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:58.437{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-56482-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463450Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:58.403{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-56393-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463449Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:58.383{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-56261-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463448Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:58.364{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-56186-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463447Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:58.345{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-56054-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463446Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:58.311{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-55912-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463445Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:58.278{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-55780-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463444Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:58.244{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-55705-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463443Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:58.225{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-55479-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463442Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:58.205{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-55358-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463441Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:58.185{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-55110-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463440Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:58.156{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-54876-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463439Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:58.115{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-54697-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463438Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:58.031{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-54599-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001463437Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:00.326{69CF5F33-189A-6154-1B00-00000000FE01}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210929074115-146MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001557386Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:01.980{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-3BB5-6154-F104-00000000FE01}5400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557385Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:01.980{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557384Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:01.980{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557383Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:01.980{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557382Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:01.980{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557381Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:01.980{5EBD8912-18A9-6154-0500-00000000FE01}4165172C:\Windows\system32\csrss.exe{5EBD8912-3BB5-6154-F104-00000000FE01}5400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001557380Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:01.980{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-3BB5-6154-F104-00000000FE01}5400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001557379Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:01.981{5EBD8912-3BB5-6154-F104-00000000FE01}5400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001557378Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:01.964{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F009409A5F1C96E93F89ED8E3BD1116,SHA256=B2A8A3041DB0998078F756EC8F96EC11B67E2F7CF87B22E042FAD37015163E2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463459Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:01.531{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6102E16F6984AC1AF28F40DB42E6D679,SHA256=7F65E2387844E0F3896D1BAEE8F3B010FFB721CBE3E37B1E8DD0112C19708760,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557377Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:01.652{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EF5DCFCD1B52FBB96D0405B40DBE3101,SHA256=573BDFAB8ED8CB32B07F14C104ABC7686B76AEE39EC435AF71834E4CE24381A3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001557376Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:01.527{5EBD8912-3BB5-6154-F004-00000000FE01}29084432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557375Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:01.374{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-3BB5-6154-F004-00000000FE01}2908C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557374Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:01.374{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557373Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:01.374{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557372Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:01.374{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557371Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:01.374{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557370Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:01.374{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-3BB5-6154-F004-00000000FE01}2908C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001557369Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:01.374{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-3BB5-6154-F004-00000000FE01}2908C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001557368Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:01.374{5EBD8912-3BB5-6154-F004-00000000FE01}2908C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001557367Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:01.105{5EBD8912-3BB4-6154-EF04-00000000FE01}32721072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001557388Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:02.964{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C251C38823EF6C921D78D4CC87308D5,SHA256=7D48C057CCCBC66BAA52271F59701E35A0A5069A1DF16B8EA9F8220916C8F115,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463460Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:02.577{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E23E42E513AE3BE542CF896A81F85215,SHA256=E9C20ABA8446DD2C6993C04E01EEAE45B431848F3FF3D4A7CEE1E8C504150D7C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001557387Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:02.198{5EBD8912-3BB5-6154-F104-00000000FE01}54003356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001463462Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:03.624{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6305025014C480FEB606CF458E0BF150,SHA256=21ACA3FEC27C6B993CA98B0E3A01F590D259C9FF9156D3ED2B70C35135C69326,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463461Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:01.799{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51580-false10.0.1.12-8000- 10341000x80000000000000001557399Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:03.636{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-3BB7-6154-F204-00000000FE01}2060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557398Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:03.636{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557397Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:03.636{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557396Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:03.636{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557395Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:03.636{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557394Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:03.636{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-3BB7-6154-F204-00000000FE01}2060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001557393Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:03.636{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-3BB7-6154-F204-00000000FE01}2060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001557392Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:03.637{5EBD8912-3BB7-6154-F204-00000000FE01}2060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001557391Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:59.955{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local54182-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001557390Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:59.955{5EBD8912-18B9-6154-2700-00000000FE01}2944C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local54182-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 23542300x80000000000000001557389Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:03.089{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B0CC99AB6353AF4D3511E0B7807CBA14,SHA256=38BC773D3A3F90BF3D0C80E49C2E0F5641DA34B4D0AF4D5AA496D6CE502A57EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463463Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:04.640{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=974D4B03E017E2AFAC9ABE525EF6A582,SHA256=86FC27BEE7FAF3250D8BBC0203D56A1FC65E66D51EE72A40C3C68A6ECECDF6D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557401Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:04.636{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=553E968303E0B9ECDD1278B35B102594,SHA256=4150E4FBCC6E230AF9809371385D4758EDA0C7B5F6AD4D9D54A929A76E174161,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557400Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:04.011{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E42AFBB00C77D0F1C4D425556B7A711,SHA256=669DC927D3C0EF72808205BAA6AEC801DD49C523CFC5C101408E81938BDBD07B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463464Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:05.702{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63C77493737F9D488E002EF9DF11B32B,SHA256=5B54E982F733C97E2ECC13B06EB180D0FE4E09FA2C11C745C8CED7D8D82C9288,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001557403Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:02.564{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54183-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001557402Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:05.167{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=437C86C801D9D4B006B6121BEAEF7F52,SHA256=682741AC0B13CAA6148F229383DBDD0077CE6724F5D575323B6D54CC8C182389,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463465Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:06.718{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88E02F1A6E622B8C4407EA48F9A6EE4E,SHA256=43529065717A6B6095C21B3362C8201C462BA1C34CCDB389C525BDA211E1859D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557404Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:06.245{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CF77759B135706A259C76F45FB60B68,SHA256=3C9E5F1026CA2059FF20A1A768F119FBECE5604CE0212B270346C6E95A9C6E74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463466Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:07.734{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9D748D93D9ECC16EAC52FA130BD1E86,SHA256=854CCBABCBACA1012B0DF7767B29A866D044F997B1F17A61FDD0E9E8E2F1F1FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557405Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:07.277{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BA91BBCA0E42F6CAD48D5F39DF2E87B,SHA256=92558630210B19563B15DEF7A14EA11732A586694F5F4A19BA249185F412FB36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463468Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:08.749{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B941A4A6CD522694CF46D42B2E11C184,SHA256=B76B2DDEA5BA5095D43F3B2FD4A33BBD1BEF69E4055B0A80B97EFDA7AA50809E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557406Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:08.339{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D103FC42E894659853BF0458D4C5DFE,SHA256=F7706680037CC7BE59CCBADD9167134B27BAF31A52C60F5611FC982BD2A71D78,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463467Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:06.815{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51581-false10.0.1.12-8000- 23542300x80000000000000001463469Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:09.765{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=484DE27584963DED4301730753A2F6DE,SHA256=C311F72A8D4606EB14D7EC63B98CBCB414EE5B01B958B2F2C514F1A84CEBF510,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557407Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:09.354{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6010BB6A6CB44FD7D63BF0CD9C67A9AA,SHA256=C002C0A854F24EC140E73D9E27EB84C268F809A169F7067424ACE1ADFDE52C36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463470Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:10.781{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D6CAF27E8C3EECB19EEB07CA2CE278C,SHA256=860AB9E23EF90C8AF6D7B4D0B904345BC0E5C6553670A132FAA6909FE8905B26,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001557409Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:08.407{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54184-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001557408Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:10.354{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FD3081B8C079CB6F87AA2FE5BBD56B8,SHA256=60FAC39CDB5392F61A6ECC5D3BBFBEA325FA41D4B7EF839CAAF0A2AAA88053E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463471Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:11.781{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4EA925303647CABBA4E05DDF079AEB7,SHA256=965512011600925DED147B0797C021B2F5B6A0BE90D6F7979F2D61E8B2700DA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557410Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:11.354{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C58041193859BB04F19B5CEA0E95975A,SHA256=A282E658229A842F0F455C71EB44D8071889392D1784E5195CB2BDBE83AE569F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463472Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:12.781{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03814D48A57E645BF74D1472E2D2A0B7,SHA256=4782083422695770B40ADD8A276231ACFF7D3F1895BB73E3115B8ADA363581E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557411Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:12.369{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F81578C59145ABABC747A7885A85339F,SHA256=BEFADEA5146FF17FA5FC09A0AACDB21E9F01AC13AC2918FCB19BB5130688A764,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463473Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:13.796{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD5E0CE175AD558B1FC7074E0502BB80,SHA256=7F70AEFF98D6C94786C1919C8978A23FD064C07AC4D322DDB02A0D4CCEFDC9F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557412Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:13.369{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6DC8655A9F459B739D6364CDB3BABEB,SHA256=9F0327E9C8987FE45DA6ACC783C016F31997777AD45E9F21D106556311367C15,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463475Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:11.877{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51582-false10.0.1.12-8000- 23542300x80000000000000001463474Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:14.812{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2C90B18E6678033F4B59883B437B1C1,SHA256=04A1A4CB3B06C3E887A975CBCBF2C4CCF3A5A982A784CC5A13E7A0D3483E5848,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557413Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:14.369{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F11353CFB2878674C56F0238850E330,SHA256=9D8D0A154A40905387248288D93AD598938D75C09A4CE5CEC03AEC7336DE3DC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463502Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:15.828{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F53051E8E033C0526681808A3DFF2AB,SHA256=323EAA45E324F20B4FECDBCCF133297116A3F03D8F3C3E3A0835D4A7B90DED08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557414Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:15.369{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8848F9199E0EC87716B3A3B7C20931DB,SHA256=A67536578525CB49BD5B90B373E6622FB6F078C83D845372047A3486C1F8DB7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463501Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:15.187{69CF5F33-1899-6154-1300-00000000FE01}296NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=A364A79EC72D8ACB2302C7BCE686D0C5,SHA256=AFE7D5C77ABE545D173C212893601B97775C0AAD06A0C249680049B158C5EBAE,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001463500Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 10:11:15.171{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\RegisteredSinceBootDWORD (0x00000001) 13241300x80000000000000001463499Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 10:11:15.171{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\StaleAdapterDWORD (0x00000000) 13241300x80000000000000001463498Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 10:11:15.171{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\CompartmentIdDWORD (0x00000001) 13241300x80000000000000001463497Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 10:11:15.171{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\FlagsDWORD (0x00000002) 13241300x80000000000000001463496Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 10:11:15.171{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\TtlDWORD (0x000004b0) 13241300x80000000000000001463495Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 10:11:15.171{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\SentPriUpdateToIpBinary Data 13241300x80000000000000001463494Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 10:11:15.171{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\SentUpdateToIpBinary Data 13241300x80000000000000001463493Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 10:11:15.171{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\DnsServersBinary Data 13241300x80000000000000001463492Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 10:11:15.171{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\HostAddrsBinary Data 13241300x80000000000000001463491Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 10:11:15.171{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\PrimaryDomainNameattackrange.local 13241300x80000000000000001463490Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 10:11:15.171{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\AdapterDomainName(Empty) 13241300x80000000000000001463489Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 10:11:15.171{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\Hostnamewin-host-542 13241300x80000000000000001463488Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 10:11:15.156{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\RegisteredSinceBootDWORD (0x00000001) 13241300x80000000000000001463487Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 10:11:15.156{69CF5F33-1899-6154-1300-00000000FE01}296C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x80000000000000001463486Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 10:11:15.156{69CF5F33-1899-6154-1300-00000000FE01}296C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\IsServerNapAwareDWORD (0x00000000) 13241300x80000000000000001463485Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 10:11:15.156{69CF5F33-1899-6154-1300-00000000FE01}296C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\AddressTypeDWORD (0x00000000) 13241300x80000000000000001463484Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 10:11:15.156{69CF5F33-1899-6154-1300-00000000FE01}296C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\LeaseTerminatesTimeDWORD (0x615449d3) 13241300x80000000000000001463483Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 10:11:15.156{69CF5F33-1899-6154-1300-00000000FE01}296C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\T2DWORD (0x61544811) 13241300x80000000000000001463482Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 10:11:15.156{69CF5F33-1899-6154-1300-00000000FE01}296C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\T1DWORD (0x615442cb) 13241300x80000000000000001463481Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 10:11:15.156{69CF5F33-1899-6154-1300-00000000FE01}296C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\LeaseObtainedTimeDWORD (0x61543bc3) 13241300x80000000000000001463480Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 10:11:15.156{69CF5F33-1899-6154-1300-00000000FE01}296C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\LeaseDWORD (0x00000e10) 13241300x80000000000000001463479Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 10:11:15.156{69CF5F33-1899-6154-1300-00000000FE01}296C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\DhcpServer10.0.1.1 13241300x80000000000000001463478Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 10:11:15.156{69CF5F33-1899-6154-1300-00000000FE01}296C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\DhcpSubnetMask255.255.255.0 13241300x80000000000000001463477Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 10:11:15.156{69CF5F33-1899-6154-1300-00000000FE01}296C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\DhcpIPAddress10.0.1.15 13241300x80000000000000001463476Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 10:11:15.156{69CF5F33-1899-6154-1300-00000000FE01}296C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\DhcpInterfaceOptionsBinary Data 354300x80000000000000001463506Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:14.874{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:88d1:47ea:8a92:ffff-62904-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x80000000000000001463505Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:14.873{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:e060:eede:318:987awin-host-542.attackrange.local62904-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x80000000000000001463504Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:14.861{69CF5F33-1899-6154-1300-00000000FE01}296C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-542.attackrange.local68bootpcfalse10.0.1.1ip-10-0-1-1.eu-central-1.compute.internal67bootps 23542300x80000000000000001463503Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:16.843{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81277CB0BFA1373623F6DE7F913A0392,SHA256=3BDA52D9924CAC8E183D8944B89FDA480CABE8E85E25478538746EB3A1CC82CD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001557418Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:14.539{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15WIN-HOST-54252529- 354300x80000000000000001557417Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:14.536{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15WIN-HOST-54259437- 354300x80000000000000001557416Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:13.517{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54185-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001557415Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:16.369{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E28F2C39331C6953F871135A1C340A7,SHA256=5673F052D1220562BD35D1DA501E17126EC748A8EFBF7557FC8E04BFA5395FFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463508Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:17.859{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D510CF008FFB259F0AC6B0E69BB9D47E,SHA256=1B72DEB4B1DA0C39F82DBB0752DFA346A1BBBB1A386F62A574C87F0D06274704,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557419Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:17.369{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D623012568E6D7F761483302F4E46A14,SHA256=6EFC009D826CEC8B7C83BB468DB1B7131943C0ABA9E2C506D2091AE145EE3D73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463507Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:17.499{69CF5F33-189A-6154-1C00-00000000FE01}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463509Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:18.860{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52D21BD05F039DB3B37981E7480F81FC,SHA256=76C5068BF58287523B517C5B4D0172983D4DA6ECB3E4E99FC25A2B42ACDCCBCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557420Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:18.370{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54D1752B25F632517399A6A362D85729,SHA256=5A9106473E5608149B29EEF37EDE92EC95CEF2CCB31C023C9A7D3DE0242C1A6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463511Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:19.876{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C8F2F85BCD75135B8E69AEA8D009DD3,SHA256=195A6BB0BD23AE9EB0C8732154753C81526844790E07CDFAEAA02569D0F5AC6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557421Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:19.370{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EA786428F3C6F6EA5739730639B8099,SHA256=E8F4C82C06C28AC5FDEE9880323368BE1424200491CBEA15E360FEF33B2E55FF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463510Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:17.190{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51583-false10.0.1.12-8089- 23542300x80000000000000001463513Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:20.876{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D35144D783F8DB1C742FC7DA60F6E544,SHA256=6B26FD7852D0E0B1E8EBC9C95585DEF76BD17C1DDBF28CACB089964D738920D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557422Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:20.370{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F473F9CBCDF025E12C587144A6EBCCAF,SHA256=7C8B0465BF8123B0F7967B82100447E0AE997746387AAF9C115C06A9D76FBC5E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463512Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:17.879{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51584-false10.0.1.12-8000- 23542300x80000000000000001463514Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:21.954{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=642A107BCB504F70F1F1D141CF1FEB11,SHA256=D639F908DFC4FAE84CF6DC8BB0EE3468D10B1964E6EAC27D94C92CA2729719F0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001557424Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:19.329{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54186-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001557423Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:21.370{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1AF823A1DDC8067321AF30B217F0116,SHA256=F8E476FF36612BF4B3E0F70041CC388C1D9FD8A06D2D98C4690BC720DF3F78D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463515Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:22.970{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0649EF566C624EC081134AEBD76C849,SHA256=7191D31425206419A3C132632F68A63E6D77E619E25C4CF697AAC7B731BF59B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557425Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:22.370{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=594936C19F4FEDAB6FA2B27A4A171ACF,SHA256=CFB93A6D3BBBCBCC03084D0C90F7B7AC3AD8A4FED0662FCA97301FAE3F843344,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463516Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:23.985{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=284352FBF2B67B9F8A07DE81944C94AE,SHA256=272F8A1F98D98E884C8BA033BA544B6E6DE197C54006934742A72AC303D1685F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557426Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:23.370{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C615DE50A0C588175F8C40F7AC1434A5,SHA256=1F6271F3B8C92D9A9AA2AC89BA6B0E0B4BC3E015A25A70185D4343EFE2B7328E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557427Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:24.385{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4DBAF2D6756F58D5D4FA55621522C49,SHA256=05E77205F7DBF90B8DE22B07B5329FE1CC1FD1073079DDF179AFD4A63810D64F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557428Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:25.385{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=502C68AD12AEA8A573536B314728E14F,SHA256=DEB02A26287BFEA4FCE85C405FD71D08D2C26EF65683CC231A0C621836682218,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463517Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:25.001{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F99EF1EDD634717C40F2A85684218031,SHA256=05A6028943818898FC6192814AB8BC9C03EA265F6693C687BC2430BB845FED8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557429Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:26.385{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4670C3643B0E71CC1E417BF9768B6DDB,SHA256=39D4F33CDA9917CE0CBD5DDA9C298E5EE80ECF862493E1A995A2FA310005A03F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001463532Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:26.798{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-3BCE-6154-B304-00000000FE01}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463531Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:26.798{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463530Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:26.798{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463529Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:26.798{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463528Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:26.798{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463527Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:26.798{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463526Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:26.798{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463525Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:26.798{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463524Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:26.798{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463523Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:26.798{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463522Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:26.798{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-3BCE-6154-B304-00000000FE01}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001463521Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:26.798{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-3BCE-6154-B304-00000000FE01}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001463520Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:26.799{69CF5F33-3BCE-6154-B304-00000000FE01}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001463519Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:23.847{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51585-false10.0.1.12-8000- 23542300x80000000000000001463518Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:26.017{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B09241AE32C8D02B2869A028938486C7,SHA256=835B0B283EE2121CA79F1993B1673EA50A81387AC17441DD19F9D6A23CA49292,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557431Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:27.385{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE07B83678A439A5E60CD9CAEB49FE78,SHA256=244DBC4FD1EC774037BB26614665265CBB1BE51775A8A08FA67FC41C2ACAFBE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463549Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:27.829{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D87EB30E15E56FCCE643CD2A232AF008,SHA256=92329A63670925C753AB2EDFD5DD1CA4E39F7BD35D93EF78EA4DE539A9E6E529,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463548Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:27.829{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FE043649B984B7E16B8950DA62989C0B,SHA256=B1E29BA825A7FB71DD40557B5A6DECC1E675B99279D98114BE7087A8E62EAA1D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001463547Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:27.532{69CF5F33-3BCF-6154-B404-00000000FE01}32243056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463546Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:27.298{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-3BCF-6154-B404-00000000FE01}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463545Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:27.298{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463544Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:27.298{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463543Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:27.298{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463542Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:27.298{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463541Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:27.298{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463540Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:27.298{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-3BCF-6154-B404-00000000FE01}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001463539Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:27.298{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463538Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:27.298{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463537Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:27.298{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463536Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:27.298{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463535Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:27.298{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-3BCF-6154-B404-00000000FE01}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001463534Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:27.299{69CF5F33-3BCF-6154-B404-00000000FE01}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001463533Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:27.032{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CAF4A081E702B8ADF040ECFA22EBB54,SHA256=4C2D8DF9D2292B62C6E7257BC3301FB6AFC7787D8508E65F7A300B111B3511B3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001557430Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:24.361{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54187-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001557432Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:28.385{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C39865A4571A8BA0AA346322CD0CEB13,SHA256=F4793FCB83099D50E38DF1742E53EA49A801227ECC0A7987D8A2701F45BFE6B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463550Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:28.079{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3A48827A4E3CA589B34AA6EA7067345,SHA256=582D330C683DFF9559318566E58EB59A0550E4D4A1ED93F506125107314C8B64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557433Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:29.386{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F009A6F5A79C757A5463BE739249E86B,SHA256=A2E915F913EF8F5B30C978D68EA065C7415401269371646F147B89D6CD91C761,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001463564Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:29.704{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-3BD1-6154-B504-00000000FE01}528C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463563Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:29.704{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463562Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:29.704{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463561Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:29.704{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463560Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:29.704{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463559Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:29.704{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463558Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:29.704{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463557Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:29.704{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463556Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:29.704{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463555Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:29.704{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463554Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:29.704{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-3BD1-6154-B504-00000000FE01}528C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001463553Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:29.704{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-3BD1-6154-B504-00000000FE01}528C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001463552Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:29.706{69CF5F33-3BD1-6154-B504-00000000FE01}528C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001463551Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:29.095{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A349FD9F5C29653E99395ACAADEA13BD,SHA256=DD1EB2964F0845EAFC6A45213B76E3EC0FA84A80CA0101E6376552C1054ED494,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001557436Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:30.958{5EBD8912-18A9-6154-0B00-00000000FE01}6402808C:\Windows\system32\lsass.exe{5EBD8912-1892-6154-0100-00000000FE01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000001557435Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:30.686{5EBD8912-18B9-6154-2800-00000000FE01}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210929074147-145MD5=A9A42281E5AC80C7384A9CB787C868D0,SHA256=3FA67950307563E8508E097058F58FAD833FFA00CAA097776E12802F7A654FF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557434Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:30.559{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFB6B1B2FC3F6F9B9A8657BDC748D8F8,SHA256=7A7D80BAFAAC71CCDA5E7BCE1F0015418256FAD29B82C80825A19D6E59490D60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463566Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:30.735{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D87EB30E15E56FCCE643CD2A232AF008,SHA256=92329A63670925C753AB2EDFD5DD1CA4E39F7BD35D93EF78EA4DE539A9E6E529,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463565Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:30.095{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8E254A788BC1009F5D3886DD30703E4,SHA256=7A0247B07437D0F2602D2AAC2D652DD5F7DF54079B30B4BB0AC298B779A1A299,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557439Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:31.694{5EBD8912-18B9-6154-2800-00000000FE01}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210929074145-146MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557438Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:31.568{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36870B1B4E58C49EDD930E4886178DD6,SHA256=E40757140C206E017CDB3072873E9E3B49D2C5E7651A207BC878B1371FEA4800,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463568Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:29.784{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51586-false10.0.1.12-8000- 23542300x80000000000000001463567Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:31.142{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CCD20EFDEE23D0ADF0AE3E642A5685C,SHA256=8DECD0904536B83A3292E9EE1A88B76271948951D33D89D3BFEBF94784F97BBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557437Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:31.162{5EBD8912-194F-6154-A100-00000000FE01}4472ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.datMD5=58FDE1A71D2ADB272DABB3A92B406559,SHA256=555933C7D5D49EBF3648EE1EF420E0C71835139B8A8DEF8FBA64C9EBE48B0C32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557445Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:32.616{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11A6EB40BE22668D64F2B09948ACE101,SHA256=628490FA460B936A5BEA9889A5100EDCDDB9C33C53DCA53918499869C893890F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463569Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:32.173{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0228346D43083A2373AB6A7774FE7664,SHA256=11FAB0C071F505D2830BE397774DC06EB1C24B37FFD0E4FB0C9559A0E3007F3A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001557444Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:30.279{5EBD8912-1892-6154-0100-00000000FE01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local54189-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001557443Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:30.279{5EBD8912-1892-6154-0100-00000000FE01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local54189-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001557442Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:29.455{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54188-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001557441Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:32.193{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=220E256E283A8C9355B36471D85B053F,SHA256=964CA16FC434FCC210A98BD833C0812184DB56C4FFFA41C82517DAC4EC5D0724,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557440Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:32.193{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=43C21E3837DADB6CBC22535222ACCA1E,SHA256=B59BC2619D1270BD9B030EAC73CE668FEF7159459A8C7490459268CA349428B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557460Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:33.679{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75FB57713D6B7A679C6DEA325E377F4A,SHA256=92C93F56BA576EB41480EC1754B31FD5F5059CCD5093D0A4DBA50DCB42CE4105,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463570Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:33.220{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B10409B3E3D0624AE889D25DF65ECCE,SHA256=DB899AF69E07837E67EF8B951D3316B944098FC49DD5835FE623AAE5B086346F,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001557459Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 10:11:33.616{5EBD8912-18AC-6154-1100-00000000FE01}444C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x80000000000000001557458Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 10:11:33.616{5EBD8912-18AC-6154-1100-00000000FE01}444C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\IsServerNapAwareDWORD (0x00000000) 13241300x80000000000000001557457Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 10:11:33.616{5EBD8912-18AC-6154-1100-00000000FE01}444C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\AddressTypeDWORD (0x00000000) 13241300x80000000000000001557456Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 10:11:33.616{5EBD8912-18AC-6154-1100-00000000FE01}444C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\LeaseTerminatesTimeDWORD (0x615449e5) 13241300x80000000000000001557455Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 10:11:33.616{5EBD8912-18AC-6154-1100-00000000FE01}444C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\T2DWORD (0x61544823) 13241300x80000000000000001557454Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 10:11:33.616{5EBD8912-18AC-6154-1100-00000000FE01}444C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\T1DWORD (0x615442dd) 13241300x80000000000000001557453Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 10:11:33.616{5EBD8912-18AC-6154-1100-00000000FE01}444C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\LeaseObtainedTimeDWORD (0x61543bd5) 13241300x80000000000000001557452Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 10:11:33.616{5EBD8912-18AC-6154-1100-00000000FE01}444C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\LeaseDWORD (0x00000e10) 13241300x80000000000000001557451Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 10:11:33.616{5EBD8912-18AC-6154-1100-00000000FE01}444C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\DhcpServer10.0.1.1 13241300x80000000000000001557450Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 10:11:33.616{5EBD8912-18AC-6154-1100-00000000FE01}444C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\DhcpSubnetMask255.255.255.0 13241300x80000000000000001557449Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 10:11:33.616{5EBD8912-18AC-6154-1100-00000000FE01}444C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\DhcpIPAddress10.0.1.14 13241300x80000000000000001557448Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 10:11:33.616{5EBD8912-18AC-6154-1100-00000000FE01}444C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\DhcpInterfaceOptionsBinary Data 10341000x80000000000000001557447Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:33.194{5EBD8912-18AC-6154-1600-00000000FE01}12725024C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2F00-00000000FE01}2408C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557446Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:33.194{5EBD8912-18AC-6154-1600-00000000FE01}12725024C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2F00-00000000FE01}2408C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557473Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:34.882{5EBD8912-194E-6154-9A00-00000000FE01}48203932C:\Windows\system32\taskhostw.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001557472Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 10:11:34.882{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001557471Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 10:11:34.882{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0089c921) 13241300x80000000000000001557470Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 10:11:34.882{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b511-0xffda695f) 13241300x80000000000000001557469Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 10:11:34.882{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b51a-0x619ed15f) 13241300x80000000000000001557468Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 10:11:34.882{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b522-0xc363395f) 13241300x80000000000000001557467Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 10:11:34.882{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001557466Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 10:11:34.882{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0089c921) 13241300x80000000000000001557465Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 10:11:34.882{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b511-0xffda695f) 13241300x80000000000000001557464Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 10:11:34.882{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b51a-0x619ed15f) 13241300x80000000000000001557463Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 10:11:34.882{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b522-0xc363395f) 23542300x80000000000000001557462Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:34.679{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78C97E1526C7508EFD5116631AC43BA9,SHA256=5E10C875F02F1DFCA756959B2C650CB4753D7EF904DB14C6B6EE5C94B55C16FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463571Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:34.220{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DB192E29434F47B3F864913AE28B1B1,SHA256=7E699C688145C6B3D260C4FA2435435E955EA713E337C5F167BF2D1B0EF0D9D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557461Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:34.398{5EBD8912-18AC-6154-1100-00000000FE01}444NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=457B189984BAC2B8B76A8D16419D9C5E,SHA256=2D54CB12DD0876716CC8316343508264B9483C3B6718E5467ED7E1393C80ACC0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001557489Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:32.935{5EBD8912-18AC-6154-1100-00000000FE01}444C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-429.attackrange.local68bootpcfalse10.0.1.1ip-10-0-1-1.eu-central-1.compute.internal67bootps 23542300x80000000000000001557488Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:35.726{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81D860B6713F1F9D921E6736819BF65A,SHA256=1412F848A235147F6116816ED341B0A5A1A46F2AD48583142A1BD188A47FF3CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463572Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:35.251{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CC36AC40867D66649D539E04D58513A,SHA256=1C99FD90A9A5A85822F668EA26C0B17DA8274B79240D04DB422778F4BD84204E,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001557487Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 10:11:35.663{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\RegisteredSinceBootDWORD (0x00000001) 13241300x80000000000000001557486Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 10:11:35.663{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\StaleAdapterDWORD (0x00000000) 13241300x80000000000000001557485Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 10:11:35.663{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\CompartmentIdDWORD (0x00000001) 13241300x80000000000000001557484Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 10:11:35.663{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\FlagsDWORD (0x00000002) 13241300x80000000000000001557483Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 10:11:35.663{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\TtlDWORD (0x000004b0) 13241300x80000000000000001557482Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 10:11:35.663{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\SentPriUpdateToIpBinary Data 13241300x80000000000000001557481Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 10:11:35.663{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\SentUpdateToIpBinary Data 13241300x80000000000000001557480Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 10:11:35.663{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\DnsServersBinary Data 13241300x80000000000000001557479Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 10:11:35.663{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\HostAddrsBinary Data 13241300x80000000000000001557478Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 10:11:35.663{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\PrimaryDomainNameattackrange.local 13241300x80000000000000001557477Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 10:11:35.663{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\AdapterDomainName(Empty) 13241300x80000000000000001557476Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 10:11:35.663{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\Hostnamewin-dc-429 10341000x80000000000000001557475Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:35.648{5EBD8912-18A9-6154-0B00-00000000FE01}6402808C:\Windows\system32\lsass.exe{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30485|C:\Windows\system32\lsasrv.dll+2e31b|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 13241300x80000000000000001557474Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 10:11:35.648{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\RegisteredSinceBootDWORD (0x00000001) 354300x80000000000000001557507Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:34.983{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local57053-false10.0.1.14win-dc-429.attackrange.local53domain 354300x80000000000000001557506Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:34.983{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local57053- 354300x80000000000000001557505Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:34.983{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruea00:10e:0:0:98b0:5308:84ce:ffff-57053-truea00:10e:0:0:0:0:0:0win-dc-429.attackrange.local53domain 354300x80000000000000001557504Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:34.983{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local54352- 354300x80000000000000001557503Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:34.982{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local57127- 354300x80000000000000001557502Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:34.982{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local57127-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domain 354300x80000000000000001557501Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:34.982{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53325- 354300x80000000000000001557500Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:34.978{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65184-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001557499Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:34.978{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65184-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001557498Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:34.976{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local55258- 354300x80000000000000001557497Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:34.975{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-429.attackrange.local65183-false10.0.1.14win-dc-429.attackrange.local53domain 354300x80000000000000001557496Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:34.975{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-429.attackrange.local65183-false10.0.1.14win-dc-429.attackrange.local53domain 354300x80000000000000001557495Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:34.973{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruefalse10.0.1.14win-dc-429.attackrange.local65535-false10.0.1.14win-dc-429.attackrange.local53domain 354300x80000000000000001557494Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:34.969{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local59190- 354300x80000000000000001557493Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:32.943{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:0:0:98b0:5308:84ce:ffff-59842-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x80000000000000001557492Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:32.943{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local59842-trueff02:0:0:0:0:0:1:3-5355llmnr 23542300x80000000000000001557491Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:36.773{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9B6C9529AB7B4AF936694BA94EA1831,SHA256=8E1408D981CA00D7AAF85A394B66766A6DD9CA3B89D4A88119F6CC860F423D0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463573Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:36.298{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=113D76AC72F25C52EAE9EE66A2D6F7A2,SHA256=9AF866C29265CE09DC8138D8A8DC56CDEDCDF7E673C5179EAE8E91C8C82B7250,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557490Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:36.757{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=220E256E283A8C9355B36471D85B053F,SHA256=964CA16FC434FCC210A98BD833C0812184DB56C4FFFA41C82517DAC4EC5D0724,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463575Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:34.909{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51587-false10.0.1.12-8000- 23542300x80000000000000001463574Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:37.314{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B9C6504D08C7E8A653D5114B2CC9142,SHA256=3BC0882B2F2A29CDB8069CADF4026F248DD8732A6D8E8DD10931E18C6406B1C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557510Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:37.960{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=28CE7B03AD7457446BA0B9EA3BA6636C,SHA256=FD595851DD60BA2B42636980F5819375CA534FAEAB9F0FCE9A80A42B04C38090,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001557509Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:35.342{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse210.245.92.42-49479-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001557508Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:34.984{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local51830- 23542300x80000000000000001463576Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:38.314{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C0A6C2F76AB8B160DFD42F85EFD732C,SHA256=5D7EF6FC6099EAF78D3EE6423211C0746AC4B16C78FDE98D6E0FF766D794BE7C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001557512Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:35.467{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65185-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001557511Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:37.991{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50EFF063AA6B65D6BCC8B14B8F489D83,SHA256=A1B52910AD3166D78F845D8C14BE24416E1CFFC421C94375FA1124E179A7C542,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463577Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:39.345{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C618D86796CE536B8DEE77C43FFDCAAA,SHA256=4277771820D246614A0E05A6E03F52B0BA25C589ACE7F57FC02E149172413486,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001557516Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:37.474{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-52935-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001557515Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:37.437{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-52812-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001557514Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:39.241{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A47D728EE4F07456FFB5823EF1F18431,SHA256=090E2283B2603E982EE4CB50B2ECEEE951BEFFFCB11BE03D60810CD2C4F025D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557513Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:39.163{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81612B43C205DCE0A9A9A230188A3132,SHA256=310CC9C147718439F0392D8878D64A327712FFA24E058341C9CAC206F98DB8F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463578Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:40.345{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=743CFB114D9D58C40AAA763B89F01067,SHA256=3BBFE95BBF8F8B545692E60646CE51C7790B3982317ED7E4DEE6B6354BA15616,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001557519Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:38.660{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-58981-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001557518Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:40.398{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C322B2E3961F87015679B4BB0536C9AF,SHA256=CC235A389FEC68939F624FCDBD7BB8B0A17DBA9117D0236196692798072EF15B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557517Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:40.179{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C1C1DA48FECD43E65B9664F261D8F69,SHA256=DE27F5F72E6D362043AC02E5E6DEF623812DAD2100EA792CEA322361E17A2191,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463579Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:41.454{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=671BAE04E3D05746EEC1406983F9989E,SHA256=3D22BC168010BAB79A32E8DAB284F36066B10E7BD4DEF88D7AAA611D78077484,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001557522Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:39.752{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-5770-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001557521Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:41.492{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9AA141F66DC4520F125006884886F7F6,SHA256=D24F4D91DE08E562FA8DDA166289B4030F770CFBBB2E711F77D98F56305709F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557520Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:41.179{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF88F80960F411E7777DC5AF0C9D272F,SHA256=D8983982B7A627D8184B949513BDEA93C4B193D7BF7FBA366915EB3A35C94878,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001463594Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:42.564{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-3BDE-6154-B604-00000000FE01}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463593Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:42.564{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463592Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:42.564{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463591Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:42.564{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463590Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:42.564{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463589Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:42.564{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-3BDE-6154-B604-00000000FE01}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001463588Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:42.564{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463587Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:42.564{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463586Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:42.564{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463585Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:42.564{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463584Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:42.564{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463583Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:42.564{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-3BDE-6154-B604-00000000FE01}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001463582Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:42.564{69CF5F33-3BDE-6154-B604-00000000FE01}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001463581Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:40.941{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51588-false10.0.1.12-8000- 23542300x80000000000000001463580Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:42.485{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D30CC5A3AE56772A27C2F5E0C1A65468,SHA256=16C0408DDA5903C282031759D49C12A505122D17B5CBE252AD8AF18B6AF15F24,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001557526Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:40.832{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-11354-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001557525Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:40.514{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65186-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001557524Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:42.679{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0AE75B066BEC36B93DB08D0A451CFD8D,SHA256=31264E797D1647D59F02C75D0FA05030AC66CB8702B16EC2D1D28942D0B3D393,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557523Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:42.257{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7846765E2B4ED9DBF92B9789BFBAB9D1,SHA256=FE7ADCD3B2F11D9570306D91C8BDFCA844DC2D88DFC4C48E290F68D7B654069E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463612Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:43.876{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9099D18F9678D4E79A8647BA0B2FA76D,SHA256=669126E544E8088E67ABF183E84CEBB653ED8E3F237FBEABFF06A1A1C03BFA42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463611Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:43.876{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B598565ABCD6674FF63820FBB2C3030,SHA256=EFED8FF5A8438C6F45806526A0F36E80BAAAC718D512DEBE1928DE9C3E69EE4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463610Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:43.876{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=374DA90B881E18B2A3CB6F8F9E583474,SHA256=C8CBC80C8C770C5420D65BFF66364FB74E561A0113405B213681A13F0396CDEC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001463609Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:43.610{69CF5F33-3BDF-6154-B704-00000000FE01}15521444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001557528Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:43.757{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4E062A22E4AD46F20EC1083C50ABEF70,SHA256=9AF619874FAF09FB9A9DF6D625B7CB65D2B038CC84D45E1A240666F70045F951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557527Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:43.273{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E45466C387D008EC0B33BD431C4376A5,SHA256=8D534F062E681F46938B2D09FE6D5215D39008F265DB103EE0F0CC931FD141CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001463608Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:43.454{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-3BDF-6154-B704-00000000FE01}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463607Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:43.454{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463606Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:43.454{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463605Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:43.454{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463604Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:43.454{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463603Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:43.454{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463602Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:43.454{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463601Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:43.454{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463600Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:43.454{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463599Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:43.454{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463598Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:43.454{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-3BDF-6154-B704-00000000FE01}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001463597Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:43.454{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-3BDF-6154-B704-00000000FE01}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001463596Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:43.455{69CF5F33-3BDF-6154-B704-00000000FE01}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001463595Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:43.032{69CF5F33-3BDE-6154-B604-00000000FE01}5921308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001463643Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:44.829{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9099D18F9678D4E79A8647BA0B2FA76D,SHA256=669126E544E8088E67ABF183E84CEBB653ED8E3F237FBEABFF06A1A1C03BFA42,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001463642Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:44.798{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-3BE0-6154-B904-00000000FE01}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463641Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:44.798{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463640Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:44.798{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463639Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:44.798{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463638Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:44.798{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463637Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:44.798{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463636Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:44.798{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463635Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:44.798{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463634Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:44.798{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463633Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:44.798{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463632Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:44.798{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-3BE0-6154-B904-00000000FE01}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001463631Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:44.798{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-3BE0-6154-B904-00000000FE01}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001463630Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:44.799{69CF5F33-3BE0-6154-B904-00000000FE01}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001463629Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:44.626{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=883EBFEB1116D1E844C811F0E2CA6659,SHA256=3BB73F14816EE17066117CA91DBDE1B94ABABC0D83F03024893D8E27351C8BD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557530Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:44.882{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D070E9C08FB5A13335B456A7C4C99E5C,SHA256=471C4E6AFD480F8B9BFBF7DDBBE4E382A86E75308DB916AF55750D03CC1B4596,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557529Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:44.304{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB7EC57311C68A6C797FFAE1E462E6D3,SHA256=79DE4AE1B934157E7938D2A2C207FFC28683FB9562BE9E4AAA9203B91849F2ED,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463628Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:42.265{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-17221-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463627Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:42.225{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-17024-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001463626Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:44.330{69CF5F33-3BE0-6154-B804-00000000FE01}2544932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463625Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:44.126{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-3BE0-6154-B804-00000000FE01}2544C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463624Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:44.126{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463623Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:44.126{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463622Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:44.126{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463621Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:44.126{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463620Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:44.126{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463619Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:44.126{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463618Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:44.126{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463617Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:44.126{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463616Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:44.126{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463615Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:44.126{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-3BE0-6154-B804-00000000FE01}2544C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001463614Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:44.126{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-3BE0-6154-B804-00000000FE01}2544C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001463613Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:44.127{69CF5F33-3BE0-6154-B804-00000000FE01}2544C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001463647Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:45.954{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F416CE5AC832AD6CDA7E20645C18C906,SHA256=D4D74B759380FE8904BEA1F56EADF5579FFEE1B3D3E048F7ECCDCCD349F34A76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463646Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:45.673{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EDF070AF928B3EC18AD4501EBA6E4B4,SHA256=E81BE42B3646B3DB1CAF9E27A4C3DB411DC78EF5CE332E21132391F735DB7439,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557533Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:45.320{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B5907D0F229B3D7F05AC7AC27463790,SHA256=D424AA88389886B74F586A97385063831DEF90FCF437B105F4914C069F01D289,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463645Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:43.430{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-23325-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463644Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:42.364{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51589-false10.0.1.14-49672- 354300x80000000000000001557532Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:42.027{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-54251589-false10.0.1.14win-dc-429.attackrange.local49672- 354300x80000000000000001557531Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:42.019{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-17699-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001463649Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:46.751{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C6303BF8400D956FB3F841F13DDE71E,SHA256=BAD78EE9FC3550153631F2332A508DF61DB040A16B144AE56DDCCE852B8C6636,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001557563Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:46.382{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557562Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:46.382{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557561Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:46.382{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557560Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:46.382{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557559Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:46.382{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557558Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:46.382{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557557Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:46.382{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557556Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:46.382{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557555Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:46.382{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557554Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:46.382{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557553Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:46.382{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557552Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:46.382{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557551Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:46.382{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557550Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:46.382{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557549Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:46.382{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557548Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:46.382{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557547Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:46.382{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557546Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:46.382{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557545Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:46.382{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557544Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:46.382{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557543Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:46.382{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557542Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:46.382{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557541Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:46.382{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557540