354300x80000000000000001463227Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:26.957{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-34652-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463226Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:26.908{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-31354-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463225Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:25.855{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-28693-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001463224Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:28.479{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DA92F1C30FE9B86A1BE2B526B02E08B,SHA256=0F8F067E995F82147FAD671BD5C2186E437B442280389D348C950B8D601F12FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557285Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:28.252{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A04A53FB2F1D720275BE2FACDA8AD59D,SHA256=B1F6E4EEACD3E6AC4DB5F7A5138579BEE77591F57F4BCEE9C4CC307540905839,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463223Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:28.339{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3AA1B88F8EEB0E057649D1D63D8D9608,SHA256=5B20FF70F5BCF6C08D01A19A8ECF14299B1B5C38586E9BF7874EFCCAB39E2421,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463244Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:28.067{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-40487-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463243Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:27.780{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51574-false10.0.1.12-8000- 10341000x80000000000000001463242Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:29.682{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-3B95-6154-AE04-00000000FE01}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463241Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:29.682{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463240Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:29.682{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463239Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:29.682{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463238Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:29.682{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463237Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:29.682{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463236Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:29.682{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463235Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:29.682{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463234Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:29.682{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463233Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:29.682{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463232Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:29.682{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-3B95-6154-AE04-00000000FE01}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001463231Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:29.682{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-3B95-6154-AE04-00000000FE01}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001463230Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:29.684{69CF5F33-3B95-6154-AE04-00000000FE01}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001463229Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:29.511{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4022A7A53D9D5A16CBD00F0F77C3295C,SHA256=1679DCEB4B38A6C5B2B0DA9ADD3ED8951498B7CE7B0711D9A902FBF606EFC5E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557288Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:29.254{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60010F92FBDBC14B80820A0F67B9C75C,SHA256=71C9EF38E116713E9B047E93685FA50A556D9F427AF5095CE9B55EC9527EB5B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463228Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:29.417{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31CA7E4767DCA62574B1FA13E9690F16,SHA256=98F2533927120C5F37F2D298F0BC1FAD23E12D1C2858DE543574934F5F925A67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557287Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:29.148{5EBD8912-18B9-6154-2800-00000000FE01}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210929074147-144MD5=A9A42281E5AC80C7384A9CB787C868D0,SHA256=3FA67950307563E8508E097058F58FAD833FFA00CAA097776E12802F7A654FF7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001557286Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:25.414{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54174-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001463247Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:28.391{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-37722-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001463246Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:30.526{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1004BF376505CD0E5CB9953F8E177B1,SHA256=D950157CDF19DCE42F04DC304B290414C947A177C4ACD6177DD3434325B51860,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557290Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:30.268{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8653606B970372BED001EE536B53262,SHA256=2C858A4C4F8620B7E7ADE88C938C8A89843C28AEE5B8CB4E91DF4C8513DE5DC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463245Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:30.511{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=093C817F4E7767547F68B666E7143BA1,SHA256=C134F062DFDD4D549740720DACA70C3180CF8F372061F5AF299E4CE4B6A61EF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557289Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:30.161{5EBD8912-18B9-6154-2800-00000000FE01}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210929074145-145MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463250Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:29.144{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-46156-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001463249Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:31.636{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B8B4222F084135D886230114BBC614E,SHA256=0AD252B2D6E9B23C28629D35E240401909FE09DAEB39452C22D0A8280A33A646,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463248Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:31.542{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E1B22BB4C61FF6AE490B7CD2C0CA0FE,SHA256=7976AB534576F6138C5A97C0B9A1B46E5249CC61BA7242E0FE737C997CDDFE64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557291Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:31.271{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1463EEEFBBA2D273CC325C65AFB8E5BD,SHA256=D092DABD1039944A220FE48AD05B7EED8E37CACB3DC6B76C68BC738D73FE4E46,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463255Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:30.569{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-47993-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463254Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:30.254{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-51932-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463253Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:29.469{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-42836-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001463252Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:32.761{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2789BC3483CD105EE73A2171655FA4E9,SHA256=795E6055FE163B50D1FD65F4618D3CEE834B4D604148D234E7B0C8D7F7826D32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463251Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:32.557{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6F7D13264AB36C331CD657C583408AD,SHA256=9BBEFD4150095CC170E058527B8AB6BA088448A02792CA44F8151633C853DA3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557292Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:32.271{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45522410974FA5C824218F3505B0867A,SHA256=95994FB5B4D5EC2701B16069B0BE34757767CDD12AB8742441491CFB0D5537F0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463258Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:31.379{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-57789-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001463257Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:33.886{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5DC324E31C96B3EE9B8F3A262D8D738A,SHA256=E17547BDB737890017499E8CB0A539B2CB1E472E6EAA436F38518B56DB86FC85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463256Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:33.573{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C966F5BC327026B197CD9312EB0D201,SHA256=2FFBFD6E18C81853B5D6B56C6DFD333DC210E0C503F13D995F66548140E1A502,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557294Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:33.287{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD25426B471A6EED1AE0FEDD296AC370,SHA256=EBEFC1D2A71E71B62E5AEF2444A895573BE2B55F39194F8C2FDD8575367CA754,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001557293Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:30.497{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54175-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001463264Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:32.904{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51575-false10.0.1.12-8000- 354300x80000000000000001463263Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:32.783{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-58508-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463262Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:32.500{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-4840-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463261Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:31.684{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-53203-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001463260Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:34.964{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=14436FABC3CD5C5DC5BC634AE6409899,SHA256=53619A044435BE432963BC69BC21B682A3A96BBA1AC456DF6A1A32DB2964E6F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463259Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:34.589{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDA838AA1C025B0F75683BEA826074E6,SHA256=493C365317C82D30DFB44742CFB1EF8F407781369E62DBB38C33E801949F91FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557296Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:34.396{5EBD8912-18AC-6154-1100-00000000FE01}444NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=5A411746E0F3070FDE047CBF8951BBC1,SHA256=7276081B7F06877D897C6EFFA0A5481724FBC3315B767361808A9EE3F20BCC3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557295Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:34.318{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F8BA0000924B7CE2F40FD2AE1C9EE9C,SHA256=D72F051E904F1FEE57141A040AA744D6CB6542171F7AF5F8DFDF827B74EE5F78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463265Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:35.604{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6A7544EB042816B85FB4425246B558A,SHA256=5874B757A1DFD4E97925B1712647D9E54F49471F00C57D8E9E4E11B98EF8BB70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557297Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:35.412{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99CA8EBA4A066BF4D674C5A5CBF75890,SHA256=36E7FF9EEDA13529CBEABD79D981B0AC24FC953BFF0E30EC104494308CF36625,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463269Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:36.651{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CD52A47985C167563DAC2FCF826C8E7,SHA256=CAC5762C427091AC9199BE58BC88DCDD7594DA444AD49B48420AC153DA3247AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557298Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:36.459{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88806585FBE84222FEA0316D441D515F,SHA256=964F26C42EBF05623A58B5DD70E02B3CB8F803481427406DEB8EC38664E262F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463268Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:36.042{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6157BD10F07F9BBDDAF02C57BC6B8D7E,SHA256=73B72A20677828BE84E8E044FDC2F014210F46D3877FD1FAE4A156CB17EEF305,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463267Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:33.906{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-4578-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463266Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:33.615{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-11026-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001463272Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:37.683{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35D92B1978AC9F796805C640FE4C5DE5,SHA256=457F6D22A308247BCDA1249EBB4F301D3BD72D0A4CFB9E84D1BDFA4084CCC613,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557299Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:37.459{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6ACFD89669E0F6B84482C034454D5A2,SHA256=4925FA8F96B848BC5D3229B95DCB0BAFE68E2DB037BC842ECAFACDF635F28C39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463271Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:37.182{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C685906CF9F853B74F589CBA14121C4E,SHA256=530AF2CF4D8762506A4BD3BF46A6A1DD056366E7E93700FAA9CC318683FC04DB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463270Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:34.696{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-16696-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001463276Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:38.698{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=915B52252386A005C551BD8AFF45D60D,SHA256=7C643C0564A14445AA0A5DB6EA9B793D167EA4306729A2476B21F43423C71037,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557301Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:38.459{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51941227C105887937FD0DDB081D67DA,SHA256=3F2C7F0899ED4F31CD5F336558AB092568CE397199B904906869490E424A2EF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463275Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:38.276{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=78D4F756F7CB9C2611107492706DFD01,SHA256=DD83B67D34F1A324F39AC62868296A223E3D1983A61956FD332DBA425419C56A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463274Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:35.799{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-22490-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463273Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:35.037{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-9572-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001557300Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:35.497{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54176-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001463281Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:39.745{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B30A396A6437E7CB23749EA9469BCC0,SHA256=BAFD22D22B54BE39193946C6F855ECF73EB7A4D0BBFED6FF3B667FDA90ECEE56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557302Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:39.459{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=501B1F39FA0E81C0D7E9202F010B6528,SHA256=9363DF1C4A10FC472628816B765C7E7B489B9CA295D9B279C5C61275CF9410FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463280Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:39.417{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C3016F8B53D714904F34182EF1B7F285,SHA256=58369FDD1C0A4E4AB38DC7D0C61022D8E0A460BF155D89445FEEE63A0B4CD71E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463279Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:37.306{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-20047-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463278Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:36.912{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-28519-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463277Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:36.139{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-14665-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001463285Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:40.776{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBB27D1B16C9FF40CDEF6CAEB8923210,SHA256=7085E08A9AC8D8B3E4D20A7C6A517E0B8D7887EB50624D3E4984EBDF362150B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557303Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:40.474{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1FA4E5A1B2479A7A5BEA313664BE681,SHA256=FD552E4470389A754269B035C9E9D22F168825A3CBC9D4B1DD9F0D4E033AEAD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463284Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:40.511{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=864525307D16C87BED3EF06BB7450A85,SHA256=1642EF4A3E674231E2EFF7CC6C1B146F31D39485B8A59002B160E67ECB567481,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463283Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:38.686{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-25961-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463282Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:38.034{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-34158-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001463290Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:41.792{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A039AEBEADDDADBD0BE39469D7363253,SHA256=98B6B9468D6140EFA03A18C6859D40976E0232B12A71024D836D5741B93AF461,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557304Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:41.490{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28B3381E3F0CF703213C9CE55E68060B,SHA256=80185F658D502686A550760B6479571D0068828A24E81971976588DF6132B686,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463289Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:41.745{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ADD0D6604703152B19F22D6E59C803A7,SHA256=612A084DB1506E7C292BE5F3C51A20646C200CFD9F9C24A566587B1BD700270A,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001463288Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 10:10:41.620{69CF5F33-1899-6154-1400-00000000FE01}368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b51a-0x42435c7f) 354300x80000000000000001463287Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:39.145{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-40219-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463286Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:38.826{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51576-false10.0.1.12-8000- 23542300x80000000000000001463307Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:42.870{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02B4867464AC2CA5D06EB9D909FBE8E0,SHA256=D9F48098FA7E5C50106E663E2E7473A694DADB3146ECEBE98D354E55E593E73B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463306Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:42.870{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8229A5A4F318A59E463AED9ED558C119,SHA256=A363B8B28C85BADD949907EA4EA26F490CE02A592C39B62415C8A3ECB218159B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557305Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:42.490{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADD14FFDBD0A5FBD382BAAAD5A84D2CA,SHA256=71D97AA2552E9545E3126B750684822FD2AB254BFD5A35D9E643CAF2631B06EE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001463305Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:42.854{69CF5F33-3BA2-6154-AF04-00000000FE01}14523712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463304Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:42.558{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-3BA2-6154-AF04-00000000FE01}1452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463303Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:42.558{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463302Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:42.558{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463301Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:42.558{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463300Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:42.558{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463299Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:42.558{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463298Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:42.558{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463297Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:42.558{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463296Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:42.558{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463295Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:42.558{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463294Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:42.558{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-3BA2-6154-AF04-00000000FE01}1452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001463293Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:42.558{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-3BA2-6154-AF04-00000000FE01}1452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001463292Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:42.559{69CF5F33-3BA2-6154-AF04-00000000FE01}1452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001463291Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:39.851{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-31442-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001557307Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:43.631{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C2435B1DE445AB60DB36E3DEE9C070F,SHA256=77442868A0E1BA0CA039DF032BE5793309B51464DDF9A78D53B6289820AFCBC7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001463339Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:43.792{69CF5F33-3BA3-6154-B104-00000000FE01}35443572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463338Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:43.558{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-3BA3-6154-B104-00000000FE01}3544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463337Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:43.558{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463336Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:43.558{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463335Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:43.558{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463334Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:43.558{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463333Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:43.558{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463332Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:43.558{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463331Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:43.558{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463330Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:43.558{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463329Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:43.558{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463328Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:43.558{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-3BA3-6154-B104-00000000FE01}3544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001463327Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:43.558{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-3BA3-6154-B104-00000000FE01}3544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001463326Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:43.559{69CF5F33-3BA3-6154-B104-00000000FE01}3544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001463325Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:43.354{69CF5F33-3BA3-6154-B004-00000000FE01}40642944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001463324Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:41.748{69CF5F33-1899-6154-1400-00000000FE01}368C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-542.attackrange.local123ntpfalse10.0.1.14-123ntp 354300x80000000000000001463323Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:41.485{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-52358-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463322Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:40.937{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-36525-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463321Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:40.362{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-46406-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001463320Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:43.058{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-3BA3-6154-B004-00000000FE01}4064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463319Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:43.058{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463318Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:43.058{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463317Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:43.058{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463316Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:43.058{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463315Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:43.058{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463314Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:43.058{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463313Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:43.058{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463312Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:43.058{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463311Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:43.058{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463310Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:43.058{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-3BA3-6154-B004-00000000FE01}4064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001463309Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:43.058{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-3BA3-6154-B004-00000000FE01}4064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001463308Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:43.059{69CF5F33-3BA3-6154-B004-00000000FE01}4064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001557306Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:40.544{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54177-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001557309Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:44.631{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E4B05E0CEF6E123E8A73D9D89D78D21,SHA256=B756F9EF0BE42C0DC5F273EAD36B352DB7B345D48263D415AA2C5BABC6F4BF7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463354Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:44.354{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=937AC18238FFC24EE642268321CB4CE4,SHA256=C1AB5366E94FA811379D48A257007B74D2A0403EADAF6DB153E08276BA64A628,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463353Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:44.354{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED65BC99BD109B3A95F35CE115D02EB8,SHA256=4A73CD95A0AB8EC8FB231E4162E919FECA6C6A8C09C1133378882E42AF017EA6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001463352Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:44.058{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-3BA4-6154-B204-00000000FE01}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463351Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:44.058{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463350Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:44.058{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463349Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:44.058{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463348Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:44.058{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463347Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:44.058{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463346Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:44.058{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463345Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:44.058{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463344Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:44.058{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463343Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:44.058{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-3BA4-6154-B204-00000000FE01}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001463342Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:44.058{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463341Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:44.058{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-3BA4-6154-B204-00000000FE01}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001463340Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:44.058{69CF5F33-3BA4-6154-B204-00000000FE01}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001557308Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:41.410{5EBD8912-18AC-6154-1200-00000000FE01}452C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudpfalsefalse10.0.1.14win-dc-429.attackrange.local123ntpfalse10.0.1.15WIN-HOST-542123ntp 23542300x80000000000000001557310Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:45.631{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04EFAF34538EE5CD035C7D69707472AE,SHA256=891CF7A2E62DFEF7804AF14AF2E4BA0388FD320C4DCE12E9B2D5DEE175E50ED4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463358Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:42.614{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-58488-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463357Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:42.144{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-42110-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001463356Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:45.276{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E6FFA8D09B8012D25C45A1B05157A0FB,SHA256=9EFA09C36CA0936614E0CFBF70138A89C32A3D92D68D562B8988175ED6D89DD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463355Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:45.089{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32759A01C83489DD70F80FE545812B0E,SHA256=54DCA540F925111AB6B3ED5151D727A60D0F680374292305DF34DC2B7026CE1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557311Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:46.631{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A9CBF9D7F667BDFF086C4F4B04778AF,SHA256=563C398B11159D5E94AE9D01F1A78F461BB4C7AC988D2C075D4243894D654EFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463363Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:46.933{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9955242C2C9E4945B75AA42646138925,SHA256=3A3F1357A1991A7EF1B180AD1FC769381A33D37C9AEF65BCCE5504ABAF6EA9DB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463362Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:43.967{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51577-false10.0.1.12-8000- 354300x80000000000000001463361Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:43.724{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-5395-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463360Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:43.372{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-47476-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001463359Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:46.120{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=977F7EDB5DB00A9DF955FE5F4E62C6E5,SHA256=4E14BACA54EE10BCD6E0C304C4626A80878381E50D9DE2FA24B26140B174645F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557313Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:47.631{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B464C9452383433BD722FA320F7AB34A,SHA256=F17AE70A72F1ABA23B8182936EE7CF616746C84CF32B8704A910B8D82B425ABB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463366Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:44.816{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-11209-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463365Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:44.455{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-52540-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001463364Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:47.136{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=910F2CDD6BB1C8A393E8DC025670E97E,SHA256=2D1E7746D34D83254D895F5B5F2DB877FA2FFDAB67DD8F8DD5D1AD2BA213FA22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557312Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:47.537{5EBD8912-18B9-6154-2900-00000000FE01}2960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557314Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:48.636{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F4EAE9EF3F4002D31CB176BEDD9B03A,SHA256=CB2118256B883F5C6D25EF02BB352BE8445B6DC9D6E2B370054D9400058F0CC7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463371Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:46.657{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-3764-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463370Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:45.895{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-17030-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463369Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:45.578{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-57638-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001463368Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:48.167{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B22C659389AA16E3F1677473064EEF6,SHA256=E7BFB625C5124667A352529181A928B1A488727F41B3A7A98A62B352280292DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463367Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:48.011{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=86FDBD7BCF7036104F3B9A52E2EAC174,SHA256=76FADBE0D3502949EA969B187F0A8D6486466FE0D37C70D410F347B19E9F3D2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557317Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:49.636{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50C22817E340AB2A67B50271FC3476AD,SHA256=B2C3E62219D8B12A0A5F2CFA88A40BF38B50BB57C4E5D36EA4E0EAF51708DEBC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463374Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:47.004{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-22806-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001463373Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:49.198{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B8D70FCFCE138656BE5D7E2B840AC5A2,SHA256=2D1E4055E38DC8C8AA77589CDE17241EC0979F19ED84DC4492D179C69608FC1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463372Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:49.167{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B05F9330DFFDBABC6D6612D33BB48711,SHA256=3AFC0C87A6439FE17FF0769517D6E499247CC71FABDB4E85220D98059A81F0A4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001557316Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:46.841{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54179-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x80000000000000001557315Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:46.544{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54178-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001557318Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:50.636{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C7DFEEBDC588CEA63828BA09D996F30,SHA256=366CD72CF62179AA5D3FBB23AA6F65E4DA62C1FB548A737B09C59DA6F0A0C770,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463377Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:47.811{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-8810-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001463376Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:50.323{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=740CDB88DF3E65813E6CE9D296421CAF,SHA256=9500E02813E9E81CB1E6065DC02827E1B516FC42344A60A36F3D94D23776E88B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463375Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:50.183{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=604BFA1170B9FF3285DE7817AD057EE0,SHA256=A691D7D903D396F1239F5290C602DA501CB6BE8CFB3FE83C3E16E78F08C62460,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557319Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:51.636{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2886B11EEE88203C7839A31BC5AB281,SHA256=22BE8C3B95FCC8899C4573475A2AE7A7D1EFB8069261306C4BE29911E53E1373,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463383Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:51.480{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7C0A40E70950899F981781CF2DD4BF16,SHA256=8475B23B0D8994420E29A2235DC1ACB76F6F23FBE702BAF474C51D2020114134,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463382Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:49.857{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51578-false10.0.1.12-8000- 354300x80000000000000001463381Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:49.252{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-34690-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463380Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:48.940{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-13904-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463379Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:48.127{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-28679-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001463378Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:51.276{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C147FCC405A4EDC9D684D3BFEFDD102A,SHA256=EA90FD94545F0CF4D3B0A8BBFC73DA2072845167A756F23EF96E2AF8968CF48C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557320Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:52.636{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65B968F6B1BF8660779AAFF078B2D05B,SHA256=41ABA7F579A447C4708E6FA4BCEBC446B7A7FD329426C4A0B320B24A7E5E7B35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463387Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:52.636{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9C0D94610F1826D5B8CB6A12979206C2,SHA256=EE956071196BFA042F7DAFF120B4AEBC26A7C799044AECBC196D53934BAE5707,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463386Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:50.375{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-40716-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463385Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:50.109{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-19185-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001463384Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:52.292{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5C8EA495BC1957361D4C9456146D793,SHA256=C4BD38A665EAE16D214723ED4A6BA47741058100D385A76865F817C1C94C8B41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557321Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:53.667{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C548B2A55717BCBC03E22A2A1483666,SHA256=E2D5E1F1E4025A1E2F11B137E8D3D61A4BCDBBC4EB2196958F428C1E6A5094FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463391Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:53.745{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=16F73EF85EAE8D2FA0B5B9970712B70C,SHA256=0BBB03C62E46FCF11EA85571EC0E4DE815F5E48B58340AECF79DC3A8BE12A886,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463390Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:53.323{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAE7D4B3675ED716E38A8DC987F3C88F,SHA256=48F8DA65B98342DD2FB5E5E1F4411DCBD68F43704E8D4B71217480A0D24C212B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463389Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:51.503{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-46580-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463388Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:51.272{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-24308-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001463395Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:54.855{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1F1F108709BCAC5B3FAB99C6B2D3AA5B,SHA256=BE49D3C6FB4678D5CA6A7A7B4D43A4E922FB04E35E6062A4DAD93A0853B14AEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463394Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:54.355{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB4B2AAF7088AD868C15788E8F1D4E36,SHA256=BFB066F95A2286E063804CDAD3FFB6541A11B1D5EA29A67A8CF905CD34D22001,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557322Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:54.667{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C24E4F44E05904DD918CFB115732CE67,SHA256=94834CE26115D5CA6F4209CAB4085DA201726B71BC43C081FCF076493B25105C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463393Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:52.614{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-52288-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463392Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:52.374{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-29094-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001557324Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:55.667{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63F96E63FE6DEFAD10487D26B6E0B31E,SHA256=34CE9C35DBFF16A0EE665D6142DF8DC0F22282F9982A25290DACFA1BE7D0635F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463399Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:55.917{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=277F49136E566DA763F8BBD24D8546E1,SHA256=B612F8D3AF66A43492BF86A7008618D6E469BE9B90295A1E155863C81F424700,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463398Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:55.370{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A79C980EFC2766157A21057504C6E8E,SHA256=D5644E84ABF8040ACA406FB9F696233E1F1202E1E66B666998F46798912469F6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463397Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:53.707{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-58212-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463396Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:53.481{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-34370-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001557323Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:52.486{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54180-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001557333Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:56.823{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-3BB0-6154-EC04-00000000FE01}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557332Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:56.823{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557331Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:56.823{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557330Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:56.823{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557329Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:56.823{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557328Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:56.823{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-3BB0-6154-EC04-00000000FE01}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001557327Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:56.823{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-3BB0-6154-EC04-00000000FE01}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001557326Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:56.824{5EBD8912-3BB0-6154-EC04-00000000FE01}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001557325Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:56.745{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD0AD51CDA3B24203FB7210AE60F8C00,SHA256=65F1D37058EFB904861A8E36B78263F6D35FF866239148045898F6A9CBC996C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463402Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:56.433{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9B28E336A2463CC46E412A3F1C9B91D,SHA256=B775C11F6277ABF961B769BC1FBC60DD5BA0098314B226C4EA5AC03F909114B5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463401Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:54.832{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-4994-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463400Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:54.579{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-39618-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001557347Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:57.995{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-3BB1-6154-EE04-00000000FE01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001557346Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:57.996{5EBD8912-3BB1-6154-EE04-00000000FE01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001557345Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:57.823{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=42A249FB9EC4832923E53CC0ADA6CF1A,SHA256=28CA0F7FD2B36C4C86545B8F5A27EAACE85B27E8727B4B3261115248EF112898,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557344Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:57.823{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1B6DA2604BC433C10F5A52B06523C2DF,SHA256=1D8FA61B7E41340914AB0C416CF31267431077C08A248F765FADA90DAC3ED847,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557343Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:57.761{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BEA0B103F6C7A9A5D79715651BFE364,SHA256=4FB1E493FFF086B24B5EA698ED2215A36E8C88DB114016A2308B500F25001B63,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001463407Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 10:10:57.620{69CF5F33-1899-6154-1400-00000000FE01}368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b51a-0x4bccc958) 23542300x80000000000000001463406Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:57.448{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AFD929F84B074E5A23D103B7E15DC75,SHA256=D9BB5B744B8DC623303B050C0FDB67D381DAB8EFE0737F260214A1BCEDEA2882,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001557342Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:57.495{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-3BB1-6154-ED04-00000000FE01}2892C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557341Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:57.495{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557340Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:57.495{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557339Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:57.495{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557338Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:57.495{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557337Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:57.495{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-3BB1-6154-ED04-00000000FE01}2892C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001557336Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:57.495{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-3BB1-6154-ED04-00000000FE01}2892C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001557335Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:57.496{5EBD8912-3BB1-6154-ED04-00000000FE01}2892C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001557334Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:57.011{5EBD8912-3BB0-6154-EC04-00000000FE01}42525872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001463405Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:55.889{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51579-false10.0.1.12-8000- 354300x80000000000000001463404Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:55.668{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-44373-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001463403Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:57.042{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9C1473C096042F552CC397B1D909D50A,SHA256=50D35DBF949A1E7819CEFC604F9F821629F17E4745DF6AB3C32872BA4BF965A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557354Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:58.886{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F8D699E8CE0E130E8FF5CFF3BEA5A7B,SHA256=A1177AE1910B60386F0F19F7CEDE49B7EEAF4D3E764A79D54BD9F7AEE4E9B89C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463411Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:58.480{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=993A331FE74AFFBDEBB630F0D4A5A498,SHA256=9314FE8DC7EA45F3845DD8621B368A00C912F0CD4DD7F760FC99E13DFA5F162E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001557353Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:57.995{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-3BB1-6154-EE04-00000000FE01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557352Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:57.995{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557351Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:57.995{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557350Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:57.995{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-3BB1-6154-EE04-00000000FE01}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001557349Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:57.995{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557348Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:57.995{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001463410Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:56.796{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-49349-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463409Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:55.927{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-11137-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001463408Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:58.230{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=330C6B4FA2983F3766FFDBE110C8A74D,SHA256=B0D5EB63A7AA480C6A1301EEB99D842B409139AEFB8B97954A7231A217B82A3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557356Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:59.917{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FB64B605FD1D4A563D049E206B68ED0,SHA256=31FE83599DACED518A2C0B82EAD022F152AA318CF8D38BEAC2BEEB4E5FB316EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463436Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:59.513{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7601D1D0DA6910514B0BEE54582BF9CF,SHA256=DA9DA427052BFB54E8878E6E4419DF5ADEC7FBFA3FE9F7DA58B27A8D541B4C96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557355Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:59.027{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=42A249FB9EC4832923E53CC0ADA6CF1A,SHA256=28CA0F7FD2B36C4C86545B8F5A27EAACE85B27E8727B4B3261115248EF112898,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463435Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:58.000{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-54587-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463434Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:57.968{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-54455-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463433Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:57.593{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-19869-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463432Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:57.577{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse63.143.41.178178-41-143-63.static.reverse.lstn.net43631-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463431Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:57.555{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-19741-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463430Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:57.532{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-19576-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463429Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:57.497{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-19463-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463428Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:57.473{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-19250-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463427Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:57.435{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-19111-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463426Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:57.411{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-18912-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463425Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:57.373{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-18793-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463424Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:57.349{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-18589-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463423Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:57.311{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-18369-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463422Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:57.273{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-18200-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463421Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:57.235{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-17998-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463420Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:57.196{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-17872-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463419Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:57.173{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-17732-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463418Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:57.149{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-17607-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463417Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:57.126{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-17463-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463416Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:57.102{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-17346-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463415Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:57.079{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-17211-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463414Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:57.056{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-17073-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463413Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:57.032{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-16831-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001463412Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:59.329{69CF5F33-189A-6154-1B00-00000000FE01}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210929074117-145MD5=0702FCA431B00B594F1E453E1BACB4E7,SHA256=E8701800C5303E9A26BD1B4295F1925FD873002633D318A1D6DD61AA6CF56A5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463458Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:00.527{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=606F59B23C923F2517BF967B3EBEBD06,SHA256=F5444FC44D92A4C810A3A64C854598895DF8DE95B288A397D89CD3DDA3FFD844,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557366Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:00.917{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=615A3821552036202860EB362B193ABF,SHA256=907D1F50892BC5DD6FE31B0D11DAD5480FAE98AE381268E6E89C570D90A26141,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001557365Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:00.870{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-3BB4-6154-EF04-00000000FE01}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557364Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:00.870{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557363Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:00.870{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557362Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:00.870{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557361Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:00.870{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-3BB4-6154-EF04-00000000FE01}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001557360Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:00.870{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557359Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:00.870{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-3BB4-6154-EF04-00000000FE01}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001557358Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:00.871{5EBD8912-3BB4-6154-EF04-00000000FE01}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001557357Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:57.486{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54181-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001463457Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:58.595{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-57303-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463456Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:58.564{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-57214-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463455Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:58.544{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-57107-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463454Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:58.525{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-56897-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463453Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:58.491{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-56805-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463452Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:58.471{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-56622-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463451Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:58.437{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-56482-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463450Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:58.403{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-56393-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463449Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:58.383{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-56261-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463448Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:58.364{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-56186-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463447Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:58.345{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-56054-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463446Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:58.311{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-55912-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463445Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:58.278{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-55780-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463444Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:58.244{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-55705-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463443Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:58.225{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-55479-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463442Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:58.205{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-55358-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463441Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:58.185{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-55110-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463440Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:58.156{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-54876-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463439Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:58.115{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-54697-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463438Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:10:58.031{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-54599-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001463437Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:00.326{69CF5F33-189A-6154-1B00-00000000FE01}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210929074115-146MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001557386Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:01.980{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-3BB5-6154-F104-00000000FE01}5400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557385Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:01.980{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557384Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:01.980{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557383Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:01.980{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557382Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:01.980{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557381Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:01.980{5EBD8912-18A9-6154-0500-00000000FE01}4165172C:\Windows\system32\csrss.exe{5EBD8912-3BB5-6154-F104-00000000FE01}5400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001557380Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:01.980{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-3BB5-6154-F104-00000000FE01}5400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001557379Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:01.981{5EBD8912-3BB5-6154-F104-00000000FE01}5400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001557378Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:01.964{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F009409A5F1C96E93F89ED8E3BD1116,SHA256=B2A8A3041DB0998078F756EC8F96EC11B67E2F7CF87B22E042FAD37015163E2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463459Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:01.531{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6102E16F6984AC1AF28F40DB42E6D679,SHA256=7F65E2387844E0F3896D1BAEE8F3B010FFB721CBE3E37B1E8DD0112C19708760,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557377Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:01.652{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EF5DCFCD1B52FBB96D0405B40DBE3101,SHA256=573BDFAB8ED8CB32B07F14C104ABC7686B76AEE39EC435AF71834E4CE24381A3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001557376Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:01.527{5EBD8912-3BB5-6154-F004-00000000FE01}29084432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557375Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:01.374{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-3BB5-6154-F004-00000000FE01}2908C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557374Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:01.374{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557373Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:01.374{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557372Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:01.374{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557371Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:01.374{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557370Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:01.374{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-3BB5-6154-F004-00000000FE01}2908C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001557369Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:01.374{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-3BB5-6154-F004-00000000FE01}2908C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001557368Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:01.374{5EBD8912-3BB5-6154-F004-00000000FE01}2908C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001557367Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:01.105{5EBD8912-3BB4-6154-EF04-00000000FE01}32721072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001557388Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:02.964{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C251C38823EF6C921D78D4CC87308D5,SHA256=7D48C057CCCBC66BAA52271F59701E35A0A5069A1DF16B8EA9F8220916C8F115,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463460Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:02.577{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E23E42E513AE3BE542CF896A81F85215,SHA256=E9C20ABA8446DD2C6993C04E01EEAE45B431848F3FF3D4A7CEE1E8C504150D7C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001557387Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:02.198{5EBD8912-3BB5-6154-F104-00000000FE01}54003356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001463462Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:03.624{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6305025014C480FEB606CF458E0BF150,SHA256=21ACA3FEC27C6B993CA98B0E3A01F590D259C9FF9156D3ED2B70C35135C69326,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463461Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:01.799{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51580-false10.0.1.12-8000- 10341000x80000000000000001557399Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:03.636{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-3BB7-6154-F204-00000000FE01}2060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557398Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:03.636{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557397Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:03.636{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557396Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:03.636{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557395Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:03.636{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557394Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:03.636{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-3BB7-6154-F204-00000000FE01}2060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001557393Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:03.636{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-3BB7-6154-F204-00000000FE01}2060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001557392Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:03.637{5EBD8912-3BB7-6154-F204-00000000FE01}2060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001557391Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:59.955{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local54182-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001557390Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:10:59.955{5EBD8912-18B9-6154-2700-00000000FE01}2944C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local54182-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 23542300x80000000000000001557389Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:03.089{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B0CC99AB6353AF4D3511E0B7807CBA14,SHA256=38BC773D3A3F90BF3D0C80E49C2E0F5641DA34B4D0AF4D5AA496D6CE502A57EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463463Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:04.640{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=974D4B03E017E2AFAC9ABE525EF6A582,SHA256=86FC27BEE7FAF3250D8BBC0203D56A1FC65E66D51EE72A40C3C68A6ECECDF6D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557401Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:04.636{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=553E968303E0B9ECDD1278B35B102594,SHA256=4150E4FBCC6E230AF9809371385D4758EDA0C7B5F6AD4D9D54A929A76E174161,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557400Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:04.011{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E42AFBB00C77D0F1C4D425556B7A711,SHA256=669DC927D3C0EF72808205BAA6AEC801DD49C523CFC5C101408E81938BDBD07B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463464Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:05.702{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63C77493737F9D488E002EF9DF11B32B,SHA256=5B54E982F733C97E2ECC13B06EB180D0FE4E09FA2C11C745C8CED7D8D82C9288,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001557403Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:02.564{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54183-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001557402Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:05.167{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=437C86C801D9D4B006B6121BEAEF7F52,SHA256=682741AC0B13CAA6148F229383DBDD0077CE6724F5D575323B6D54CC8C182389,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463465Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:06.718{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88E02F1A6E622B8C4407EA48F9A6EE4E,SHA256=43529065717A6B6095C21B3362C8201C462BA1C34CCDB389C525BDA211E1859D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557404Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:06.245{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CF77759B135706A259C76F45FB60B68,SHA256=3C9E5F1026CA2059FF20A1A768F119FBECE5604CE0212B270346C6E95A9C6E74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463466Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:07.734{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9D748D93D9ECC16EAC52FA130BD1E86,SHA256=854CCBABCBACA1012B0DF7767B29A866D044F997B1F17A61FDD0E9E8E2F1F1FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557405Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:07.277{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BA91BBCA0E42F6CAD48D5F39DF2E87B,SHA256=92558630210B19563B15DEF7A14EA11732A586694F5F4A19BA249185F412FB36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463468Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:08.749{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B941A4A6CD522694CF46D42B2E11C184,SHA256=B76B2DDEA5BA5095D43F3B2FD4A33BBD1BEF69E4055B0A80B97EFDA7AA50809E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557406Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:08.339{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D103FC42E894659853BF0458D4C5DFE,SHA256=F7706680037CC7BE59CCBADD9167134B27BAF31A52C60F5611FC982BD2A71D78,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463467Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:06.815{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51581-false10.0.1.12-8000- 23542300x80000000000000001463469Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:09.765{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=484DE27584963DED4301730753A2F6DE,SHA256=C311F72A8D4606EB14D7EC63B98CBCB414EE5B01B958B2F2C514F1A84CEBF510,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557407Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:09.354{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6010BB6A6CB44FD7D63BF0CD9C67A9AA,SHA256=C002C0A854F24EC140E73D9E27EB84C268F809A169F7067424ACE1ADFDE52C36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463470Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:10.781{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D6CAF27E8C3EECB19EEB07CA2CE278C,SHA256=860AB9E23EF90C8AF6D7B4D0B904345BC0E5C6553670A132FAA6909FE8905B26,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001557409Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:08.407{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54184-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001557408Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:10.354{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FD3081B8C079CB6F87AA2FE5BBD56B8,SHA256=60FAC39CDB5392F61A6ECC5D3BBFBEA325FA41D4B7EF839CAAF0A2AAA88053E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463471Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:11.781{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4EA925303647CABBA4E05DDF079AEB7,SHA256=965512011600925DED147B0797C021B2F5B6A0BE90D6F7979F2D61E8B2700DA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557410Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:11.354{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C58041193859BB04F19B5CEA0E95975A,SHA256=A282E658229A842F0F455C71EB44D8071889392D1784E5195CB2BDBE83AE569F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463472Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:12.781{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03814D48A57E645BF74D1472E2D2A0B7,SHA256=4782083422695770B40ADD8A276231ACFF7D3F1895BB73E3115B8ADA363581E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557411Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:12.369{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F81578C59145ABABC747A7885A85339F,SHA256=BEFADEA5146FF17FA5FC09A0AACDB21E9F01AC13AC2918FCB19BB5130688A764,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463473Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:13.796{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD5E0CE175AD558B1FC7074E0502BB80,SHA256=7F70AEFF98D6C94786C1919C8978A23FD064C07AC4D322DDB02A0D4CCEFDC9F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557412Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:13.369{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6DC8655A9F459B739D6364CDB3BABEB,SHA256=9F0327E9C8987FE45DA6ACC783C016F31997777AD45E9F21D106556311367C15,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463475Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:11.877{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51582-false10.0.1.12-8000- 23542300x80000000000000001463474Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:14.812{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2C90B18E6678033F4B59883B437B1C1,SHA256=04A1A4CB3B06C3E887A975CBCBF2C4CCF3A5A982A784CC5A13E7A0D3483E5848,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557413Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:14.369{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F11353CFB2878674C56F0238850E330,SHA256=9D8D0A154A40905387248288D93AD598938D75C09A4CE5CEC03AEC7336DE3DC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463502Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:15.828{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F53051E8E033C0526681808A3DFF2AB,SHA256=323EAA45E324F20B4FECDBCCF133297116A3F03D8F3C3E3A0835D4A7B90DED08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557414Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:15.369{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8848F9199E0EC87716B3A3B7C20931DB,SHA256=A67536578525CB49BD5B90B373E6622FB6F078C83D845372047A3486C1F8DB7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463501Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:15.187{69CF5F33-1899-6154-1300-00000000FE01}296NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=A364A79EC72D8ACB2302C7BCE686D0C5,SHA256=AFE7D5C77ABE545D173C212893601B97775C0AAD06A0C249680049B158C5EBAE,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001463500Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 10:11:15.171{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\RegisteredSinceBootDWORD (0x00000001) 13241300x80000000000000001463499Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 10:11:15.171{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\StaleAdapterDWORD (0x00000000) 13241300x80000000000000001463498Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 10:11:15.171{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\CompartmentIdDWORD (0x00000001) 13241300x80000000000000001463497Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 10:11:15.171{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\FlagsDWORD (0x00000002) 13241300x80000000000000001463496Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 10:11:15.171{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\TtlDWORD (0x000004b0) 13241300x80000000000000001463495Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 10:11:15.171{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\SentPriUpdateToIpBinary Data 13241300x80000000000000001463494Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 10:11:15.171{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\SentUpdateToIpBinary Data 13241300x80000000000000001463493Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 10:11:15.171{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\DnsServersBinary Data 13241300x80000000000000001463492Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 10:11:15.171{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\HostAddrsBinary Data 13241300x80000000000000001463491Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 10:11:15.171{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\PrimaryDomainNameattackrange.local 13241300x80000000000000001463490Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 10:11:15.171{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\AdapterDomainName(Empty) 13241300x80000000000000001463489Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 10:11:15.171{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\Hostnamewin-host-542 13241300x80000000000000001463488Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 10:11:15.156{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\RegisteredSinceBootDWORD (0x00000001) 13241300x80000000000000001463487Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 10:11:15.156{69CF5F33-1899-6154-1300-00000000FE01}296C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x80000000000000001463486Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 10:11:15.156{69CF5F33-1899-6154-1300-00000000FE01}296C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\IsServerNapAwareDWORD (0x00000000) 13241300x80000000000000001463485Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 10:11:15.156{69CF5F33-1899-6154-1300-00000000FE01}296C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\AddressTypeDWORD (0x00000000) 13241300x80000000000000001463484Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 10:11:15.156{69CF5F33-1899-6154-1300-00000000FE01}296C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\LeaseTerminatesTimeDWORD (0x615449d3) 13241300x80000000000000001463483Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 10:11:15.156{69CF5F33-1899-6154-1300-00000000FE01}296C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\T2DWORD (0x61544811) 13241300x80000000000000001463482Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 10:11:15.156{69CF5F33-1899-6154-1300-00000000FE01}296C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\T1DWORD (0x615442cb) 13241300x80000000000000001463481Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 10:11:15.156{69CF5F33-1899-6154-1300-00000000FE01}296C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\LeaseObtainedTimeDWORD (0x61543bc3) 13241300x80000000000000001463480Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 10:11:15.156{69CF5F33-1899-6154-1300-00000000FE01}296C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\LeaseDWORD (0x00000e10) 13241300x80000000000000001463479Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 10:11:15.156{69CF5F33-1899-6154-1300-00000000FE01}296C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\DhcpServer10.0.1.1 13241300x80000000000000001463478Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 10:11:15.156{69CF5F33-1899-6154-1300-00000000FE01}296C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\DhcpSubnetMask255.255.255.0 13241300x80000000000000001463477Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 10:11:15.156{69CF5F33-1899-6154-1300-00000000FE01}296C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\DhcpIPAddress10.0.1.15 13241300x80000000000000001463476Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 10:11:15.156{69CF5F33-1899-6154-1300-00000000FE01}296C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\DhcpInterfaceOptionsBinary Data 354300x80000000000000001463506Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:14.874{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:88d1:47ea:8a92:ffff-62904-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x80000000000000001463505Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:14.873{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:e060:eede:318:987awin-host-542.attackrange.local62904-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x80000000000000001463504Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:14.861{69CF5F33-1899-6154-1300-00000000FE01}296C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-542.attackrange.local68bootpcfalse10.0.1.1ip-10-0-1-1.eu-central-1.compute.internal67bootps 23542300x80000000000000001463503Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:16.843{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81277CB0BFA1373623F6DE7F913A0392,SHA256=3BDA52D9924CAC8E183D8944B89FDA480CABE8E85E25478538746EB3A1CC82CD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001557418Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:14.539{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15WIN-HOST-54252529- 354300x80000000000000001557417Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:14.536{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15WIN-HOST-54259437- 354300x80000000000000001557416Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:13.517{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54185-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001557415Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:16.369{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E28F2C39331C6953F871135A1C340A7,SHA256=5673F052D1220562BD35D1DA501E17126EC748A8EFBF7557FC8E04BFA5395FFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463508Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:17.859{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D510CF008FFB259F0AC6B0E69BB9D47E,SHA256=1B72DEB4B1DA0C39F82DBB0752DFA346A1BBBB1A386F62A574C87F0D06274704,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557419Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:17.369{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D623012568E6D7F761483302F4E46A14,SHA256=6EFC009D826CEC8B7C83BB468DB1B7131943C0ABA9E2C506D2091AE145EE3D73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463507Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:17.499{69CF5F33-189A-6154-1C00-00000000FE01}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463509Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:18.860{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52D21BD05F039DB3B37981E7480F81FC,SHA256=76C5068BF58287523B517C5B4D0172983D4DA6ECB3E4E99FC25A2B42ACDCCBCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557420Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:18.370{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54D1752B25F632517399A6A362D85729,SHA256=5A9106473E5608149B29EEF37EDE92EC95CEF2CCB31C023C9A7D3DE0242C1A6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463511Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:19.876{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C8F2F85BCD75135B8E69AEA8D009DD3,SHA256=195A6BB0BD23AE9EB0C8732154753C81526844790E07CDFAEAA02569D0F5AC6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557421Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:19.370{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EA786428F3C6F6EA5739730639B8099,SHA256=E8F4C82C06C28AC5FDEE9880323368BE1424200491CBEA15E360FEF33B2E55FF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463510Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:17.190{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51583-false10.0.1.12-8089- 23542300x80000000000000001463513Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:20.876{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D35144D783F8DB1C742FC7DA60F6E544,SHA256=6B26FD7852D0E0B1E8EBC9C95585DEF76BD17C1DDBF28CACB089964D738920D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557422Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:20.370{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F473F9CBCDF025E12C587144A6EBCCAF,SHA256=7C8B0465BF8123B0F7967B82100447E0AE997746387AAF9C115C06A9D76FBC5E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463512Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:17.879{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51584-false10.0.1.12-8000- 23542300x80000000000000001463514Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:21.954{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=642A107BCB504F70F1F1D141CF1FEB11,SHA256=D639F908DFC4FAE84CF6DC8BB0EE3468D10B1964E6EAC27D94C92CA2729719F0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001557424Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:19.329{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54186-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001557423Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:21.370{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1AF823A1DDC8067321AF30B217F0116,SHA256=F8E476FF36612BF4B3E0F70041CC388C1D9FD8A06D2D98C4690BC720DF3F78D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463515Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:22.970{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0649EF566C624EC081134AEBD76C849,SHA256=7191D31425206419A3C132632F68A63E6D77E619E25C4CF697AAC7B731BF59B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557425Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:22.370{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=594936C19F4FEDAB6FA2B27A4A171ACF,SHA256=CFB93A6D3BBBCBCC03084D0C90F7B7AC3AD8A4FED0662FCA97301FAE3F843344,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463516Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:23.985{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=284352FBF2B67B9F8A07DE81944C94AE,SHA256=272F8A1F98D98E884C8BA033BA544B6E6DE197C54006934742A72AC303D1685F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557426Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:23.370{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C615DE50A0C588175F8C40F7AC1434A5,SHA256=1F6271F3B8C92D9A9AA2AC89BA6B0E0B4BC3E015A25A70185D4343EFE2B7328E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557427Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:24.385{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4DBAF2D6756F58D5D4FA55621522C49,SHA256=05E77205F7DBF90B8DE22B07B5329FE1CC1FD1073079DDF179AFD4A63810D64F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557428Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:25.385{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=502C68AD12AEA8A573536B314728E14F,SHA256=DEB02A26287BFEA4FCE85C405FD71D08D2C26EF65683CC231A0C621836682218,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463517Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:25.001{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F99EF1EDD634717C40F2A85684218031,SHA256=05A6028943818898FC6192814AB8BC9C03EA265F6693C687BC2430BB845FED8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557429Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:26.385{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4670C3643B0E71CC1E417BF9768B6DDB,SHA256=39D4F33CDA9917CE0CBD5DDA9C298E5EE80ECF862493E1A995A2FA310005A03F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001463532Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:26.798{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-3BCE-6154-B304-00000000FE01}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463531Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:26.798{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463530Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:26.798{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463529Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:26.798{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463528Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:26.798{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463527Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:26.798{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463526Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:26.798{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463525Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:26.798{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463524Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:26.798{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463523Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:26.798{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463522Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:26.798{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-3BCE-6154-B304-00000000FE01}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001463521Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:26.798{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-3BCE-6154-B304-00000000FE01}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001463520Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:26.799{69CF5F33-3BCE-6154-B304-00000000FE01}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001463519Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:23.847{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51585-false10.0.1.12-8000- 23542300x80000000000000001463518Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:26.017{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B09241AE32C8D02B2869A028938486C7,SHA256=835B0B283EE2121CA79F1993B1673EA50A81387AC17441DD19F9D6A23CA49292,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557431Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:27.385{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE07B83678A439A5E60CD9CAEB49FE78,SHA256=244DBC4FD1EC774037BB26614665265CBB1BE51775A8A08FA67FC41C2ACAFBE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463549Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:27.829{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D87EB30E15E56FCCE643CD2A232AF008,SHA256=92329A63670925C753AB2EDFD5DD1CA4E39F7BD35D93EF78EA4DE539A9E6E529,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463548Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:27.829{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FE043649B984B7E16B8950DA62989C0B,SHA256=B1E29BA825A7FB71DD40557B5A6DECC1E675B99279D98114BE7087A8E62EAA1D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001463547Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:27.532{69CF5F33-3BCF-6154-B404-00000000FE01}32243056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463546Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:27.298{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-3BCF-6154-B404-00000000FE01}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463545Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:27.298{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463544Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:27.298{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463543Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:27.298{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463542Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:27.298{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463541Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:27.298{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463540Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:27.298{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-3BCF-6154-B404-00000000FE01}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001463539Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:27.298{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463538Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:27.298{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463537Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:27.298{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463536Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:27.298{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463535Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:27.298{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-3BCF-6154-B404-00000000FE01}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001463534Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:27.299{69CF5F33-3BCF-6154-B404-00000000FE01}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001463533Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:27.032{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CAF4A081E702B8ADF040ECFA22EBB54,SHA256=4C2D8DF9D2292B62C6E7257BC3301FB6AFC7787D8508E65F7A300B111B3511B3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001557430Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:24.361{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54187-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001557432Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:28.385{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C39865A4571A8BA0AA346322CD0CEB13,SHA256=F4793FCB83099D50E38DF1742E53EA49A801227ECC0A7987D8A2701F45BFE6B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463550Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:28.079{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3A48827A4E3CA589B34AA6EA7067345,SHA256=582D330C683DFF9559318566E58EB59A0550E4D4A1ED93F506125107314C8B64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557433Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:29.386{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F009A6F5A79C757A5463BE739249E86B,SHA256=A2E915F913EF8F5B30C978D68EA065C7415401269371646F147B89D6CD91C761,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001463564Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:29.704{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-3BD1-6154-B504-00000000FE01}528C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463563Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:29.704{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463562Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:29.704{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463561Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:29.704{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463560Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:29.704{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463559Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:29.704{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463558Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:29.704{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463557Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:29.704{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463556Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:29.704{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463555Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:29.704{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463554Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:29.704{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-3BD1-6154-B504-00000000FE01}528C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001463553Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:29.704{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-3BD1-6154-B504-00000000FE01}528C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001463552Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:29.706{69CF5F33-3BD1-6154-B504-00000000FE01}528C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001463551Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:29.095{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A349FD9F5C29653E99395ACAADEA13BD,SHA256=DD1EB2964F0845EAFC6A45213B76E3EC0FA84A80CA0101E6376552C1054ED494,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001557436Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:30.958{5EBD8912-18A9-6154-0B00-00000000FE01}6402808C:\Windows\system32\lsass.exe{5EBD8912-1892-6154-0100-00000000FE01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000001557435Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:30.686{5EBD8912-18B9-6154-2800-00000000FE01}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210929074147-145MD5=A9A42281E5AC80C7384A9CB787C868D0,SHA256=3FA67950307563E8508E097058F58FAD833FFA00CAA097776E12802F7A654FF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557434Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:30.559{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFB6B1B2FC3F6F9B9A8657BDC748D8F8,SHA256=7A7D80BAFAAC71CCDA5E7BCE1F0015418256FAD29B82C80825A19D6E59490D60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463566Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:30.735{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D87EB30E15E56FCCE643CD2A232AF008,SHA256=92329A63670925C753AB2EDFD5DD1CA4E39F7BD35D93EF78EA4DE539A9E6E529,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463565Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:30.095{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8E254A788BC1009F5D3886DD30703E4,SHA256=7A0247B07437D0F2602D2AAC2D652DD5F7DF54079B30B4BB0AC298B779A1A299,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557439Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:31.694{5EBD8912-18B9-6154-2800-00000000FE01}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210929074145-146MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557438Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:31.568{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36870B1B4E58C49EDD930E4886178DD6,SHA256=E40757140C206E017CDB3072873E9E3B49D2C5E7651A207BC878B1371FEA4800,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463568Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:29.784{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51586-false10.0.1.12-8000- 23542300x80000000000000001463567Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:31.142{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CCD20EFDEE23D0ADF0AE3E642A5685C,SHA256=8DECD0904536B83A3292E9EE1A88B76271948951D33D89D3BFEBF94784F97BBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557437Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:31.162{5EBD8912-194F-6154-A100-00000000FE01}4472ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.datMD5=58FDE1A71D2ADB272DABB3A92B406559,SHA256=555933C7D5D49EBF3648EE1EF420E0C71835139B8A8DEF8FBA64C9EBE48B0C32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557445Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:32.616{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11A6EB40BE22668D64F2B09948ACE101,SHA256=628490FA460B936A5BEA9889A5100EDCDDB9C33C53DCA53918499869C893890F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463569Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:32.173{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0228346D43083A2373AB6A7774FE7664,SHA256=11FAB0C071F505D2830BE397774DC06EB1C24B37FFD0E4FB0C9559A0E3007F3A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001557444Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:30.279{5EBD8912-1892-6154-0100-00000000FE01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local54189-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001557443Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:30.279{5EBD8912-1892-6154-0100-00000000FE01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local54189-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001557442Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:29.455{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54188-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001557441Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:32.193{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=220E256E283A8C9355B36471D85B053F,SHA256=964CA16FC434FCC210A98BD833C0812184DB56C4FFFA41C82517DAC4EC5D0724,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557440Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:32.193{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=43C21E3837DADB6CBC22535222ACCA1E,SHA256=B59BC2619D1270BD9B030EAC73CE668FEF7159459A8C7490459268CA349428B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557460Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:33.679{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75FB57713D6B7A679C6DEA325E377F4A,SHA256=92C93F56BA576EB41480EC1754B31FD5F5059CCD5093D0A4DBA50DCB42CE4105,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463570Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:33.220{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B10409B3E3D0624AE889D25DF65ECCE,SHA256=DB899AF69E07837E67EF8B951D3316B944098FC49DD5835FE623AAE5B086346F,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001557459Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 10:11:33.616{5EBD8912-18AC-6154-1100-00000000FE01}444C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x80000000000000001557458Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 10:11:33.616{5EBD8912-18AC-6154-1100-00000000FE01}444C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\IsServerNapAwareDWORD (0x00000000) 13241300x80000000000000001557457Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 10:11:33.616{5EBD8912-18AC-6154-1100-00000000FE01}444C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\AddressTypeDWORD (0x00000000) 13241300x80000000000000001557456Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 10:11:33.616{5EBD8912-18AC-6154-1100-00000000FE01}444C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\LeaseTerminatesTimeDWORD (0x615449e5) 13241300x80000000000000001557455Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 10:11:33.616{5EBD8912-18AC-6154-1100-00000000FE01}444C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\T2DWORD (0x61544823) 13241300x80000000000000001557454Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 10:11:33.616{5EBD8912-18AC-6154-1100-00000000FE01}444C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\T1DWORD (0x615442dd) 13241300x80000000000000001557453Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 10:11:33.616{5EBD8912-18AC-6154-1100-00000000FE01}444C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\LeaseObtainedTimeDWORD (0x61543bd5) 13241300x80000000000000001557452Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 10:11:33.616{5EBD8912-18AC-6154-1100-00000000FE01}444C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\LeaseDWORD (0x00000e10) 13241300x80000000000000001557451Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 10:11:33.616{5EBD8912-18AC-6154-1100-00000000FE01}444C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\DhcpServer10.0.1.1 13241300x80000000000000001557450Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 10:11:33.616{5EBD8912-18AC-6154-1100-00000000FE01}444C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\DhcpSubnetMask255.255.255.0 13241300x80000000000000001557449Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 10:11:33.616{5EBD8912-18AC-6154-1100-00000000FE01}444C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\DhcpIPAddress10.0.1.14 13241300x80000000000000001557448Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 10:11:33.616{5EBD8912-18AC-6154-1100-00000000FE01}444C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\DhcpInterfaceOptionsBinary Data 10341000x80000000000000001557447Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:33.194{5EBD8912-18AC-6154-1600-00000000FE01}12725024C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2F00-00000000FE01}2408C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557446Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:33.194{5EBD8912-18AC-6154-1600-00000000FE01}12725024C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2F00-00000000FE01}2408C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557473Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:34.882{5EBD8912-194E-6154-9A00-00000000FE01}48203932C:\Windows\system32\taskhostw.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001557472Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 10:11:34.882{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001557471Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 10:11:34.882{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0089c921) 13241300x80000000000000001557470Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 10:11:34.882{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b511-0xffda695f) 13241300x80000000000000001557469Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 10:11:34.882{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b51a-0x619ed15f) 13241300x80000000000000001557468Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 10:11:34.882{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b522-0xc363395f) 13241300x80000000000000001557467Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 10:11:34.882{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001557466Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 10:11:34.882{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0089c921) 13241300x80000000000000001557465Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 10:11:34.882{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b511-0xffda695f) 13241300x80000000000000001557464Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 10:11:34.882{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b51a-0x619ed15f) 13241300x80000000000000001557463Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 10:11:34.882{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b522-0xc363395f) 23542300x80000000000000001557462Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:34.679{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78C97E1526C7508EFD5116631AC43BA9,SHA256=5E10C875F02F1DFCA756959B2C650CB4753D7EF904DB14C6B6EE5C94B55C16FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463571Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:34.220{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DB192E29434F47B3F864913AE28B1B1,SHA256=7E699C688145C6B3D260C4FA2435435E955EA713E337C5F167BF2D1B0EF0D9D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557461Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:34.398{5EBD8912-18AC-6154-1100-00000000FE01}444NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=457B189984BAC2B8B76A8D16419D9C5E,SHA256=2D54CB12DD0876716CC8316343508264B9483C3B6718E5467ED7E1393C80ACC0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001557489Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:32.935{5EBD8912-18AC-6154-1100-00000000FE01}444C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-429.attackrange.local68bootpcfalse10.0.1.1ip-10-0-1-1.eu-central-1.compute.internal67bootps 23542300x80000000000000001557488Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:35.726{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81D860B6713F1F9D921E6736819BF65A,SHA256=1412F848A235147F6116816ED341B0A5A1A46F2AD48583142A1BD188A47FF3CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463572Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:35.251{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CC36AC40867D66649D539E04D58513A,SHA256=1C99FD90A9A5A85822F668EA26C0B17DA8274B79240D04DB422778F4BD84204E,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001557487Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 10:11:35.663{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\RegisteredSinceBootDWORD (0x00000001) 13241300x80000000000000001557486Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 10:11:35.663{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\StaleAdapterDWORD (0x00000000) 13241300x80000000000000001557485Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 10:11:35.663{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\CompartmentIdDWORD (0x00000001) 13241300x80000000000000001557484Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 10:11:35.663{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\FlagsDWORD (0x00000002) 13241300x80000000000000001557483Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 10:11:35.663{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\TtlDWORD (0x000004b0) 13241300x80000000000000001557482Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 10:11:35.663{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\SentPriUpdateToIpBinary Data 13241300x80000000000000001557481Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 10:11:35.663{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\SentUpdateToIpBinary Data 13241300x80000000000000001557480Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 10:11:35.663{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\DnsServersBinary Data 13241300x80000000000000001557479Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 10:11:35.663{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\HostAddrsBinary Data 13241300x80000000000000001557478Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 10:11:35.663{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\PrimaryDomainNameattackrange.local 13241300x80000000000000001557477Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 10:11:35.663{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\AdapterDomainName(Empty) 13241300x80000000000000001557476Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 10:11:35.663{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\Hostnamewin-dc-429 10341000x80000000000000001557475Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:35.648{5EBD8912-18A9-6154-0B00-00000000FE01}6402808C:\Windows\system32\lsass.exe{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30485|C:\Windows\system32\lsasrv.dll+2e31b|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 13241300x80000000000000001557474Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 10:11:35.648{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\RegisteredSinceBootDWORD (0x00000001) 354300x80000000000000001557507Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:34.983{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local57053-false10.0.1.14win-dc-429.attackrange.local53domain 354300x80000000000000001557506Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:34.983{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local57053- 354300x80000000000000001557505Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:34.983{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruea00:10e:0:0:98b0:5308:84ce:ffff-57053-truea00:10e:0:0:0:0:0:0win-dc-429.attackrange.local53domain 354300x80000000000000001557504Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:34.983{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local54352- 354300x80000000000000001557503Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:34.982{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local57127- 354300x80000000000000001557502Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:34.982{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local57127-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domain 354300x80000000000000001557501Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:34.982{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53325- 354300x80000000000000001557500Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:34.978{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65184-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001557499Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:34.978{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65184-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001557498Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:34.976{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local55258- 354300x80000000000000001557497Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:34.975{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-429.attackrange.local65183-false10.0.1.14win-dc-429.attackrange.local53domain 354300x80000000000000001557496Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:34.975{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-429.attackrange.local65183-false10.0.1.14win-dc-429.attackrange.local53domain 354300x80000000000000001557495Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:34.973{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruefalse10.0.1.14win-dc-429.attackrange.local65535-false10.0.1.14win-dc-429.attackrange.local53domain 354300x80000000000000001557494Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:34.969{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local59190- 354300x80000000000000001557493Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:32.943{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:0:0:98b0:5308:84ce:ffff-59842-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x80000000000000001557492Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:32.943{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local59842-trueff02:0:0:0:0:0:1:3-5355llmnr 23542300x80000000000000001557491Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:36.773{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9B6C9529AB7B4AF936694BA94EA1831,SHA256=8E1408D981CA00D7AAF85A394B66766A6DD9CA3B89D4A88119F6CC860F423D0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463573Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:36.298{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=113D76AC72F25C52EAE9EE66A2D6F7A2,SHA256=9AF866C29265CE09DC8138D8A8DC56CDEDCDF7E673C5179EAE8E91C8C82B7250,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557490Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:36.757{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=220E256E283A8C9355B36471D85B053F,SHA256=964CA16FC434FCC210A98BD833C0812184DB56C4FFFA41C82517DAC4EC5D0724,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463575Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:34.909{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51587-false10.0.1.12-8000- 23542300x80000000000000001463574Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:37.314{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B9C6504D08C7E8A653D5114B2CC9142,SHA256=3BC0882B2F2A29CDB8069CADF4026F248DD8732A6D8E8DD10931E18C6406B1C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557510Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:37.960{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=28CE7B03AD7457446BA0B9EA3BA6636C,SHA256=FD595851DD60BA2B42636980F5819375CA534FAEAB9F0FCE9A80A42B04C38090,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001557509Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:35.342{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse210.245.92.42-49479-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001557508Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:34.984{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local51830- 23542300x80000000000000001463576Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:38.314{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C0A6C2F76AB8B160DFD42F85EFD732C,SHA256=5D7EF6FC6099EAF78D3EE6423211C0746AC4B16C78FDE98D6E0FF766D794BE7C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001557512Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:35.467{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65185-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001557511Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:37.991{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50EFF063AA6B65D6BCC8B14B8F489D83,SHA256=A1B52910AD3166D78F845D8C14BE24416E1CFFC421C94375FA1124E179A7C542,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463577Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:39.345{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C618D86796CE536B8DEE77C43FFDCAAA,SHA256=4277771820D246614A0E05A6E03F52B0BA25C589ACE7F57FC02E149172413486,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001557516Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:37.474{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-52935-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001557515Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:37.437{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-52812-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001557514Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:39.241{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A47D728EE4F07456FFB5823EF1F18431,SHA256=090E2283B2603E982EE4CB50B2ECEEE951BEFFFCB11BE03D60810CD2C4F025D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557513Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:39.163{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81612B43C205DCE0A9A9A230188A3132,SHA256=310CC9C147718439F0392D8878D64A327712FFA24E058341C9CAC206F98DB8F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463578Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:40.345{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=743CFB114D9D58C40AAA763B89F01067,SHA256=3BBFE95BBF8F8B545692E60646CE51C7790B3982317ED7E4DEE6B6354BA15616,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001557519Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:38.660{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-58981-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001557518Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:40.398{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C322B2E3961F87015679B4BB0536C9AF,SHA256=CC235A389FEC68939F624FCDBD7BB8B0A17DBA9117D0236196692798072EF15B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557517Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:40.179{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C1C1DA48FECD43E65B9664F261D8F69,SHA256=DE27F5F72E6D362043AC02E5E6DEF623812DAD2100EA792CEA322361E17A2191,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463579Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:41.454{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=671BAE04E3D05746EEC1406983F9989E,SHA256=3D22BC168010BAB79A32E8DAB284F36066B10E7BD4DEF88D7AAA611D78077484,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001557522Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:39.752{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-5770-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001557521Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:41.492{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9AA141F66DC4520F125006884886F7F6,SHA256=D24F4D91DE08E562FA8DDA166289B4030F770CFBBB2E711F77D98F56305709F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557520Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:41.179{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF88F80960F411E7777DC5AF0C9D272F,SHA256=D8983982B7A627D8184B949513BDEA93C4B193D7BF7FBA366915EB3A35C94878,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001463594Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:42.564{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-3BDE-6154-B604-00000000FE01}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463593Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:42.564{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463592Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:42.564{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463591Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:42.564{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463590Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:42.564{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463589Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:42.564{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-3BDE-6154-B604-00000000FE01}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001463588Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:42.564{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463587Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:42.564{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463586Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:42.564{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463585Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:42.564{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463584Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:42.564{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463583Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:42.564{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-3BDE-6154-B604-00000000FE01}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001463582Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:42.564{69CF5F33-3BDE-6154-B604-00000000FE01}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001463581Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:40.941{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51588-false10.0.1.12-8000- 23542300x80000000000000001463580Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:42.485{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D30CC5A3AE56772A27C2F5E0C1A65468,SHA256=16C0408DDA5903C282031759D49C12A505122D17B5CBE252AD8AF18B6AF15F24,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001557526Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:40.832{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-11354-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001557525Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:40.514{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65186-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001557524Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:42.679{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0AE75B066BEC36B93DB08D0A451CFD8D,SHA256=31264E797D1647D59F02C75D0FA05030AC66CB8702B16EC2D1D28942D0B3D393,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557523Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:42.257{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7846765E2B4ED9DBF92B9789BFBAB9D1,SHA256=FE7ADCD3B2F11D9570306D91C8BDFCA844DC2D88DFC4C48E290F68D7B654069E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463612Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:43.876{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9099D18F9678D4E79A8647BA0B2FA76D,SHA256=669126E544E8088E67ABF183E84CEBB653ED8E3F237FBEABFF06A1A1C03BFA42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463611Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:43.876{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B598565ABCD6674FF63820FBB2C3030,SHA256=EFED8FF5A8438C6F45806526A0F36E80BAAAC718D512DEBE1928DE9C3E69EE4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463610Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:43.876{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=374DA90B881E18B2A3CB6F8F9E583474,SHA256=C8CBC80C8C770C5420D65BFF66364FB74E561A0113405B213681A13F0396CDEC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001463609Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:43.610{69CF5F33-3BDF-6154-B704-00000000FE01}15521444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001557528Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:43.757{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4E062A22E4AD46F20EC1083C50ABEF70,SHA256=9AF619874FAF09FB9A9DF6D625B7CB65D2B038CC84D45E1A240666F70045F951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557527Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:43.273{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E45466C387D008EC0B33BD431C4376A5,SHA256=8D534F062E681F46938B2D09FE6D5215D39008F265DB103EE0F0CC931FD141CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001463608Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:43.454{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-3BDF-6154-B704-00000000FE01}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463607Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:43.454{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463606Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:43.454{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463605Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:43.454{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463604Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:43.454{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463603Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:43.454{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463602Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:43.454{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463601Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:43.454{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463600Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:43.454{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463599Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:43.454{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463598Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:43.454{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-3BDF-6154-B704-00000000FE01}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001463597Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:43.454{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-3BDF-6154-B704-00000000FE01}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001463596Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:43.455{69CF5F33-3BDF-6154-B704-00000000FE01}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001463595Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:43.032{69CF5F33-3BDE-6154-B604-00000000FE01}5921308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001463643Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:44.829{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9099D18F9678D4E79A8647BA0B2FA76D,SHA256=669126E544E8088E67ABF183E84CEBB653ED8E3F237FBEABFF06A1A1C03BFA42,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001463642Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:44.798{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-3BE0-6154-B904-00000000FE01}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463641Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:44.798{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463640Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:44.798{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463639Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:44.798{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463638Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:44.798{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463637Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:44.798{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463636Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:44.798{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463635Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:44.798{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463634Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:44.798{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463633Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:44.798{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463632Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:44.798{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-3BE0-6154-B904-00000000FE01}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001463631Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:44.798{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-3BE0-6154-B904-00000000FE01}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001463630Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:44.799{69CF5F33-3BE0-6154-B904-00000000FE01}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001463629Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:44.626{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=883EBFEB1116D1E844C811F0E2CA6659,SHA256=3BB73F14816EE17066117CA91DBDE1B94ABABC0D83F03024893D8E27351C8BD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557530Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:44.882{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D070E9C08FB5A13335B456A7C4C99E5C,SHA256=471C4E6AFD480F8B9BFBF7DDBBE4E382A86E75308DB916AF55750D03CC1B4596,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557529Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:44.304{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB7EC57311C68A6C797FFAE1E462E6D3,SHA256=79DE4AE1B934157E7938D2A2C207FFC28683FB9562BE9E4AAA9203B91849F2ED,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463628Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:42.265{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-17221-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463627Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:42.225{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-17024-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001463626Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:44.330{69CF5F33-3BE0-6154-B804-00000000FE01}2544932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463625Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:44.126{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-3BE0-6154-B804-00000000FE01}2544C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463624Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:44.126{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463623Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:44.126{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463622Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:44.126{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463621Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:44.126{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463620Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:44.126{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463619Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:44.126{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463618Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:44.126{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463617Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:44.126{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463616Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:44.126{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463615Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:44.126{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-3BE0-6154-B804-00000000FE01}2544C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001463614Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:44.126{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-3BE0-6154-B804-00000000FE01}2544C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001463613Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:44.127{69CF5F33-3BE0-6154-B804-00000000FE01}2544C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001463647Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:45.954{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F416CE5AC832AD6CDA7E20645C18C906,SHA256=D4D74B759380FE8904BEA1F56EADF5579FFEE1B3D3E048F7ECCDCCD349F34A76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463646Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:45.673{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EDF070AF928B3EC18AD4501EBA6E4B4,SHA256=E81BE42B3646B3DB1CAF9E27A4C3DB411DC78EF5CE332E21132391F735DB7439,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557533Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:45.320{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B5907D0F229B3D7F05AC7AC27463790,SHA256=D424AA88389886B74F586A97385063831DEF90FCF437B105F4914C069F01D289,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463645Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:43.430{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-23325-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463644Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:42.364{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51589-false10.0.1.14-49672- 354300x80000000000000001557532Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:42.027{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-54251589-false10.0.1.14win-dc-429.attackrange.local49672- 354300x80000000000000001557531Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:42.019{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-17699-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001463649Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:46.751{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C6303BF8400D956FB3F841F13DDE71E,SHA256=BAD78EE9FC3550153631F2332A508DF61DB040A16B144AE56DDCCE852B8C6636,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001557563Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:46.382{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557562Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:46.382{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557561Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:46.382{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557560Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:46.382{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557559Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:46.382{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557558Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:46.382{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557557Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:46.382{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557556Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:46.382{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557555Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:46.382{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557554Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:46.382{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557553Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:46.382{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557552Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:46.382{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557551Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:46.382{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557550Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:46.382{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557549Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:46.382{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557548Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:46.382{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557547Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:46.382{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557546Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:46.382{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557545Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:46.382{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557544Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:46.382{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557543Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:46.382{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557542Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:46.382{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557541Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:46.382{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557540Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:46.382{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557539Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:46.382{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557538Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:46.382{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557537Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:46.382{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001557536Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:46.335{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB8CB88C94A13CBCE511A6AE4200A897,SHA256=B46686D40BBF0D7B46C9685BF9D031C77FD8EA43E698E82C2511D1218028FBEA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463648Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:44.556{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-28891-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001557535Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:43.112{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-23423-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001557534Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:46.007{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1FB5D76DD6DB96A884CC90A5DEFF7AC8,SHA256=23DD8103A5764E5489B65FDA2BAAD4ACF4F2A750191C7D49FBECB30A3C3AD242,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463653Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:45.682{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-34763-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001463652Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:47.798{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=469A998CD34E76F8D0FCEF7A6F7BC301,SHA256=C14D9C797CF1F0B18A8299D63CB113BDA7B0E46020147B50EDFDDFE232BA9348,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557566Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:47.585{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2B3D3B604BF19A8B246D371FF358B5B,SHA256=B4E24E0A431DAC949AA15B66965F0ECABA1F22FB301FEEF6327A36BE6A055902,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557565Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:47.554{5EBD8912-18B9-6154-2900-00000000FE01}2960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001463651Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 10:11:47.454{69CF5F33-1899-6154-1400-00000000FE01}368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b51a-0x6980da8f) 23542300x80000000000000001463650Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:47.032{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4BD3460283602E5738662F01988DD8C5,SHA256=34BE488A186B6576A9A7B658DA5AF9BD2E478C28E189EB2B69E80FD4159207C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557564Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:47.085{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=99A59843C454AD62A3A0ED5F4F07D5E8,SHA256=7AA48207EAE7E0CBA01CBF7F78B03C2FF0DD13A5AE65086F597F398FC961B7FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557593Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:48.829{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D358D5DC58B3B4C96BEA8383C7997D66,SHA256=7E3FD40BF6722B45D7B37DE8B004F6775BDB8EE001E93DABAD8A4070B276417A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463655Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:48.829{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9D0D59925FCF43D33C313C0CFB3AF55,SHA256=89E86D82602422E7554898410770A9E34DCB04A46A550D58FF9B5102D1663977,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463654Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:48.110{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6681BB58CEBC8272B628ADFD4E84D955,SHA256=B6D8AF2A65247B50DC3D1A7EE6499FFD7EE871B7555CEE01E95C408CC4F31658,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001557592Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:48.288{5EBD8912-194F-6154-A100-00000000FE01}44723384C:\Windows\Explorer.EXE{5EBD8912-3BE4-6154-F304-00000000FE01}5712C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557591Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:48.288{5EBD8912-194F-6154-A100-00000000FE01}44723384C:\Windows\Explorer.EXE{5EBD8912-3BE4-6154-F304-00000000FE01}5712C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557590Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:48.288{5EBD8912-194F-6154-A100-00000000FE01}44723384C:\Windows\Explorer.EXE{5EBD8912-3BE4-6154-F304-00000000FE01}5712C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557589Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:48.273{5EBD8912-194E-6154-9A00-00000000FE01}48203932C:\Windows\system32\taskhostw.exe{5EBD8912-3BE4-6154-F304-00000000FE01}5712C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557588Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:48.273{5EBD8912-194E-6154-9A00-00000000FE01}48203932C:\Windows\system32\taskhostw.exe{5EBD8912-3BE4-6154-F304-00000000FE01}5712C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557587Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:48.257{5EBD8912-194F-6154-A100-00000000FE01}44722744C:\Windows\Explorer.EXE{5EBD8912-3BE4-6154-F304-00000000FE01}5712C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557586Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:48.257{5EBD8912-194F-6154-A100-00000000FE01}44722744C:\Windows\Explorer.EXE{5EBD8912-3BE4-6154-F304-00000000FE01}5712C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557585Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:48.257{5EBD8912-194F-6154-A100-00000000FE01}44722744C:\Windows\Explorer.EXE{5EBD8912-3BE4-6154-F304-00000000FE01}5712C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557584Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:48.242{5EBD8912-194F-6154-A100-00000000FE01}44722744C:\Windows\Explorer.EXE{5EBD8912-3BE4-6154-F304-00000000FE01}5712C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557583Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:48.242{5EBD8912-194F-6154-A100-00000000FE01}44725312C:\Windows\Explorer.EXE{5EBD8912-3BE4-6154-F304-00000000FE01}5712C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557582Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:48.242{5EBD8912-194F-6154-A100-00000000FE01}44725312C:\Windows\Explorer.EXE{5EBD8912-3BE4-6154-F304-00000000FE01}5712C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557581Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:48.242{5EBD8912-194F-6154-A100-00000000FE01}44725312C:\Windows\Explorer.EXE{5EBD8912-3BE4-6154-F304-00000000FE01}5712C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557580Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:48.242{5EBD8912-194F-6154-A100-00000000FE01}44725312C:\Windows\Explorer.EXE{5EBD8912-3BE4-6154-F304-00000000FE01}5712C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001557579Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:48.163{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3FB5038D3BCBD1319687840E02F8FEBD,SHA256=71B8C57951401E75E355293F643203F17A4AE1DA26A2AEF54E4FE0EDC6129122,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001557578Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:48.148{5EBD8912-18AC-6154-1600-00000000FE01}12721548C:\Windows\system32\svchost.exe{5EBD8912-3BE4-6154-F304-00000000FE01}5712C:\Windows\regedit.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557577Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:48.148{5EBD8912-18AC-6154-1600-00000000FE01}12721320C:\Windows\system32\svchost.exe{5EBD8912-3BE4-6154-F304-00000000FE01}5712C:\Windows\regedit.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001557576Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:45.346{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-34780-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001557575Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:44.235{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-28950-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001557574Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:48.054{5EBD8912-18AC-6154-1400-00000000FE01}9483188C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557573Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:48.038{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557572Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:48.038{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557571Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:48.038{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557570Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:48.038{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557569Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:48.038{5EBD8912-194C-6154-9000-00000000FE01}28444276C:\Windows\system32\csrss.exe{5EBD8912-3BE4-6154-F304-00000000FE01}5712C:\Windows\regedit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001557568Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:48.038{5EBD8912-194F-6154-A100-00000000FE01}44722284C:\Windows\Explorer.EXE{5EBD8912-3BE4-6154-F304-00000000FE01}5712C:\Windows\regedit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+aae00|C:\Windows\System32\windows.storage.dll+ad62a|C:\Windows\System32\windows.storage.dll+ad3e2|C:\Windows\System32\SHELL32.dll+3f8bd|C:\Windows\System32\SHELL32.dll+3e456|C:\Windows\System32\SHELL32.dll+801d1|C:\Windows\System32\SHELL32.dll+6716e|C:\Windows\System32\SHELL32.dll+3d433|C:\Windows\System32\SHELL32.dll+3d2fb|C:\Windows\System32\SHELL32.dll+3cc17|C:\Windows\System32\SHELL32.dll+3c8dc|C:\Windows\System32\SHELL32.dll+e2157|C:\Windows\System32\SHELL32.dll+e20b5 154100x80000000000000001557567Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:48.031{5EBD8912-3BE4-6154-F304-00000000FE01}5712C:\Windows\regedit.exe10.0.14393.953 (rs1_release_inmarket.170303-1614)Registry EditorMicrosoft® Windows® Operating SystemMicrosoft CorporationREGEDIT.EXE"C:\Windows\regedit.exe" C:\Users\Administrator\ATTACKRANGE\Administrator{5EBD8912-194D-6154-AD8A-090000000000}0x98aad2HighMD5=BF5D30514FEA913E25CCC9E546257088,SHA256=254B18A8CC6589AF666EE17CE4E76C67350AECF578206CC7678745ED47A32D63,IMPHASH=E6DBB62DC548A099806914C678466448{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x80000000000000001463659Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:49.845{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF9846CF6D28AE0CE5164C636DEC259A,SHA256=E17B7F781F175DF3484144470EA193CB3138595746E0EE60BFD5ACC918EBF551,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557597Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:49.251{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E2A286B4EBB00ECDBD29EA131DB45CD2,SHA256=ED97697601E6B2D2B313E85D4E4AC5EDF00E0F4A10045602E3736F3D1EF07700,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001557596Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:46.858{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65188-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x80000000000000001557595Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:46.425{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-40452-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001557594Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:46.420{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65187-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001463658Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:49.189{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4D2F500874F67F4C66C26CCB043B57A6,SHA256=A074A291F7418F135C04275D5A2BC0DF11D316B5689A87CCD4F3A2F6FF122EC0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463657Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:46.759{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-40428-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463656Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:46.706{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51590-false10.0.1.12-8000- 23542300x80000000000000001463663Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:50.861{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=993820C12E922E058050CFF73583A3E5,SHA256=18F53CCAA27106A8F5FE656420E602FE73F9F3DB2BF89F7E7E525A5429134861,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557600Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:50.391{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DCB6E695F8F7E2FA8F30685402539AF6,SHA256=0A63C01950DB4966B5A354031EA69B077F8C573C93F39DDA9BC4CBCEA883B22C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001557599Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:47.502{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-46113-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001557598Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:50.048{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5D1B279D16F13C7795EDA4B40A3D505,SHA256=2F6C63E157C1C96699673202156C8A3B92534532963C584D8B9E4EFB1992ED95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463662Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:50.376{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=528FDAE9D33C77BC82DDF72D64577703,SHA256=65655248F37194AB28B758D9892A3B887BB6A9785E1E7E38C6240C0085D3AC96,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463661Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:47.836{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-46090-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463660Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:47.143{69CF5F33-1899-6154-1400-00000000FE01}368C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-542.attackrange.local123ntpfalse20.101.57.9-123ntp 23542300x80000000000000001463666Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:51.892{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43AA144E4BB3660056ED537BF48F4A09,SHA256=02E9FB40D9FBB2245F9D70EF4E11CB83575AA03C5A13B17ED5E98E5A49B7940A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557603Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:51.469{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=66C335CC1D31F817196908738FBD2060,SHA256=6BE1E5D2C1195244C14EC487DE8B91E95C4151994D9A653B9189B82DBDA0353C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001557602Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:48.641{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-51855-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001557601Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:51.048{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B08EA1F83335593F86707B32C947AD25,SHA256=24703DB1587762C3A056DABDD9DD6B7910B5C083E81727DB7B9EB8A344D99632,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463665Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:51.501{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6A3EF55A498D99D4BEED66652B6F80FD,SHA256=A810D0BD855C161E2F30C85FF824108885E281F2BE2DE57C212D534D7A2DAFD8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463664Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:48.978{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-51726-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001463668Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:52.923{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4153B3F9F3E3EACFA2D453DB1A597400,SHA256=6F7FC032D0F6315F18F23DBBDF366B03A8984FE48733BD93B22BD6AFB5D4CF92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557606Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:52.798{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2D795E9D337E6D55294AC2D18F5A5212,SHA256=8D74A3BE57E4A8D40B7B0E661C0EC06C3DBF786071A5AB5A4AA3C8046D13F027,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001557605Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:49.731{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-57399-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001557604Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:52.126{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8CCF19087BCDEC79548BCA5FC3202B0,SHA256=72C4C5ABE34A6A2D760E01B297F47973B06936101AC9514D51418821133FC4F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463667Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:52.627{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1892F9ACEEAEBA944FE0600387AAD1F0,SHA256=829EA5CD58F8BF95929F430CF33EE20114269DA09BC125BADA1B78519FD7F186,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463672Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:53.939{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64C6D4472C7638A8F4E9C0B42D87313A,SHA256=DED7F53C6A07E41EF2C4A13BA9BD42FD3D4E2E616B0E240096C68CE7FA0D5199,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557607Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:53.204{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D2F04AF40C6898DA9AE0E9C3A0557E7,SHA256=12D3676A9E0D9A69957256D61604400ABDAA46C66EABAF45E4539E7F1456EABB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463671Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:53.704{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E7BAB97C6B10A9F656DE06618AF53AEC,SHA256=E9FA03DBF60CA32B2FC5FF7A39C9844A13F3A3CA20ED45EB787D907325057518,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463670Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:51.240{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-4530-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463669Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:50.116{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-57564-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001463676Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:54.954{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74983C18A6CC122F65A563AE27C97B35,SHA256=7097A7522D864C10A3653ED6FF568D6541F0AA7F014DF7D916FFBF550DDDF600,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463675Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:54.829{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D01CA32C99755F044C5D1F0D487A9F3A,SHA256=B3C53A9B8B9CA0AA4A4B2A40A4EEEBA5FE0DEB7A631EC8C162FB640BE2B027D9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463674Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:52.353{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-10300-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463673Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:51.847{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51591-false10.0.1.12-8000- 23542300x80000000000000001557612Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:54.844{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C151CE941D4E016FFD11556A948E16C2,SHA256=87CC2D07BF5388F36890C879A5371462610B2519EA2FC113782A62FDCE8ADA04,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001557611Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:51.948{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-9869-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001557610Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:51.429{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65189-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001557609Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:50.823{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-4092-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001557608Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:54.204{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62C1F11938393256EAC069E8E477356A,SHA256=D5E844ED9F908C1DCA679769D198F246FA27A4BF8F08E0BED20677EA8B4420D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463679Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:55.955{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C2FC0EDCB8F61F9278AF4951996B4A1,SHA256=44E34EC05E763CEB5715424D729E56975D2AE9B778FA4CE92710837FA6B531FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463678Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:55.939{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=99BF4B1691133D8CF27FEE6D4D38455A,SHA256=6BAC603BE0241EAFEDEA24A07F9D9BDC981DAC3B8408F3560D99B82CE82C27B4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463677Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:53.442{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-15971-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001557614Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:53.074{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-15785-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001557613Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:55.204{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D111EE938309DC36AA1BC0709A0DEFDE,SHA256=CB90B9959053A645A750C80460A67F0EBDC7ED5828BEC3D03B246768A6F0C0F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463681Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:56.970{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CAD77A3F216E56BAA721F21A999CA52,SHA256=C3E47AD53FAFD487942D1F2F31F6BE92114EAAE622C47F940C456E2A83532FBF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001557625Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:56.845{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-3BEC-6154-F404-00000000FE01}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557624Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:56.845{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557623Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:56.845{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557622Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:56.845{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557621Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:56.845{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557620Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:56.845{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-3BEC-6154-F404-00000000FE01}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001557619Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:56.845{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-3BEC-6154-F404-00000000FE01}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001557618Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:56.845{5EBD8912-3BEC-6154-F404-00000000FE01}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001557617Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:54.220{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-21778-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001557616Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:56.220{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E139002A9265A2345E30ABA18D602B7E,SHA256=EC3E57EDE073249E676A76710245F7CE8E2219B2154C4703DA8F3695A7B88971,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463680Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:54.565{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-22012-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001557615Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:56.016{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F4DE60F85F79C4E9636722524A18B84,SHA256=9C20A8E9232768A9B3BA64820BD43BBF8598614389BDCFA3BE4640E8D3D37795,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463683Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:57.986{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3E5D69819795F0DDA5339A5C555EDC0,SHA256=AFAE26489363F0AE9DAB541B56C399278D7FD24DC58CAF6553B77D1D378C3F7B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001557645Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:57.845{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-3BED-6154-F604-00000000FE01}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557644Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:57.845{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557643Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:57.845{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557642Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:57.845{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557641Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:57.845{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557640Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:57.845{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-3BED-6154-F604-00000000FE01}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001557639Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:57.845{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-3BED-6154-F604-00000000FE01}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001557638Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:57.845{5EBD8912-3BED-6154-F604-00000000FE01}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001557637Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:57.579{5EBD8912-3BED-6154-F504-00000000FE01}56846076C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001557636Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:55.372{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-27656-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001557635Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:57.345{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-3BED-6154-F504-00000000FE01}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557634Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:57.345{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557633Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:57.345{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557632Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:57.345{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557631Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:57.345{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557630Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:57.345{5EBD8912-18A9-6154-0500-00000000FE01}4165172C:\Windows\system32\csrss.exe{5EBD8912-3BED-6154-F504-00000000FE01}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001557629Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:57.345{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-3BED-6154-F504-00000000FE01}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001557628Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:57.345{5EBD8912-3BED-6154-F504-00000000FE01}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001557627Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:57.313{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=57C5711291C4A900B37BF7EA51885F1E,SHA256=95B70EAD58B483C5A00F9C961DE22A6C9A03BE5148EC95B14FF6D6F557C5C0E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557626Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:57.235{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=358FB4B023F0D0D2689E067FA98D092B,SHA256=F77AA363D5394EAC9BE6DA3EA5FD6229CE9C9FA5C8398C0EE371C6941DD1A199,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463682Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:57.048{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A545AC520623D77F30B72A41E11AC6E6,SHA256=B4E9CF0882F7FB30BB3EEEC0C0846D5BA35C425A2DBE0BC396D01CDEA25A9295,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463687Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:56.863{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51592-false10.0.1.12-8000- 354300x80000000000000001463686Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:56.775{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-33527-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463685Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:55.665{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-27521-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001463684Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:58.142{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A108E96C526B3AA3A189E32DE1A3F696,SHA256=32947663429464EFE25E29BB5CE280293AB922294310A58B90736EEB38795D1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557647Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:58.345{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D164741E0C6486B8B08C5D65064CACF8,SHA256=43B6AE90F559F15B109FE56FD30294F89652C6181A4EF027E0FA29885368F3A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557646Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:58.251{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F48244BDF120A41AC63BF0920FDBAB0,SHA256=C9CFF9DD9BB713E084FDEF68E451CEC9EA72865CFF86AE5930727E0ECEA5EEE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463689Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:59.345{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ECCE83CDAE6A49ED690EB4D3F3DD795E,SHA256=A86751B45D3B4359E7C9675ED8330D8FE8A93CF845510E0F71D9DBF8DA6BD634,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463688Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:59.001{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F9965BBF12F88F67F68B16D51487FBD,SHA256=C7564CE6A7FA049584144EA1C6E34996482F86386E9C04120DF1E1BE90F7E0F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557650Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:59.548{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6F0941D16C4EC403CED9BD16EE499BCE,SHA256=3FA6B804D702ED6D37447F7B4F988DBAB03963491C86ECD33BBB9004E28B419F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001557649Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:56.429{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65190-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001557648Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:59.282{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5AED69F0294EE73EE1E3D77BEC906BC,SHA256=C554EB1728D6A9416C5E329A5C1366E831A0E071FECA5C260050E1DE41273C99,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001557662Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:00.876{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-3BF0-6154-F704-00000000FE01}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557661Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:00.876{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557660Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:00.876{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557659Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:00.876{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557658Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:00.876{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557657Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:00.876{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-3BF0-6154-F704-00000000FE01}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001557656Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:00.876{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-3BF0-6154-F704-00000000FE01}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001557655Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:00.877{5EBD8912-3BF0-6154-F704-00000000FE01}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001557654Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:00.626{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A59BA3647B92066DFCBBC089D1F74AD9,SHA256=1931CD632A8E417A24C41358C4E90B2CB1287F971873A74AF8F45C5FB20887EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001557653Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:57.777{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-40075-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001557652Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:56.677{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-34425-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001557651Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:00.298{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3970C3C7DB5137C8A500E638227B083B,SHA256=42C9913F9AD6D6DE025284BCB551E4DE913C4F4C8CEC862A594E7FABB44A9627,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463693Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:00.847{69CF5F33-189A-6154-1B00-00000000FE01}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210929074117-146MD5=0702FCA431B00B594F1E453E1BACB4E7,SHA256=E8701800C5303E9A26BD1B4295F1925FD873002633D318A1D6DD61AA6CF56A5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463692Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:00.470{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AC7714C580AC95B2430361495DFB33C9,SHA256=1344AB03C0C4CF2C6D708D7A3B2E74A1CCEB60F1718F5F9C18F837E930A2C813,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463691Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:57.883{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-38955-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001463690Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:00.032{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A37F8A3734B872B5DB13695D43205CAD,SHA256=AEE1362BC195E3237CCF79374FECF6048F8BB89762495050E0C60368EF5BD385,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001557682Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:01.876{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-3BF1-6154-F904-00000000FE01}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557681Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:01.876{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557680Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:01.876{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557679Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:01.876{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-3BF1-6154-F904-00000000FE01}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001557678Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:01.876{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557677Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:01.876{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557676Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:01.876{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-3BF1-6154-F904-00000000FE01}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001557675Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:01.877{5EBD8912-3BF1-6154-F904-00000000FE01}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001557674Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:01.657{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BDCE6F35E5D1DF46DEA75DD711ACFA61,SHA256=B415906626105EBACA85F5FF420AEF3AEC1437BB739A720CA5FCF0AF4998DFB8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001557673Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:01.595{5EBD8912-3BF1-6154-F804-00000000FE01}47445592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557672Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:01.376{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-3BF1-6154-F804-00000000FE01}4744C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557671Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:01.376{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557670Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:01.376{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557669Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:01.376{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557668Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:01.376{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557667Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:01.376{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-3BF1-6154-F804-00000000FE01}4744C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001557666Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:01.376{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-3BF1-6154-F804-00000000FE01}4744C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001557665Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:01.377{5EBD8912-3BF1-6154-F804-00000000FE01}4744C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001557664Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:01.329{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E8D923A1C06AC9BA016E6C447BAB903,SHA256=91030B444D6F4B6893A613CC9594AF5719BD0A02E4E64DA9FC6D64472064DD87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463697Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:01.846{69CF5F33-189A-6154-1B00-00000000FE01}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210929074115-147MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463696Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:01.580{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2571C56C98A27E8BFBFE5B667EFB9BFB,SHA256=343DAFA2618EE61461F2095B36565BE185F12574EA4EDE73D2A0924FF7F46D75,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463695Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:11:59.085{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-45200-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001463694Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:01.033{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F85BD0E011C010D2423D2657CB991751,SHA256=6D288091D91597F165C351042154F41C54BA9733077FA45AF28CD9D9542DAF9C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001557663Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:01.110{5EBD8912-3BF0-6154-F704-00000000FE01}55283560C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001557688Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:02.891{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=27F779EA6FEA5EBCCFD41FB221279A65,SHA256=AF73FB98FA9B206873AC5563D9DA8226E35FC7DD486C36CDF0E600896F0B6BBB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001557687Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:59.961{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65191-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001557686Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:59.961{5EBD8912-18B9-6154-2700-00000000FE01}2944C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65191-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001557685Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:58.887{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-46032-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001557684Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:02.329{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44E90A2EF6C80819CC34A03440D7942B,SHA256=CC06AA7163B7A44DBAE8661C73BCFD7C68592EB9F57F6DF42B6F9B408F053809,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463700Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:02.690{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B0C0C34834B93AF962918D3526B780E,SHA256=DA272B3CFAE8B7E88AA042BC55AD37BBDB0041364CD1100D5BD4F45AF0AC2687,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463699Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:00.213{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-50836-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001463698Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:02.047{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=595F1148EC749AACCA675BC0A6F850DD,SHA256=5182C6F6382FAB05ECCF50D5965644C6E684279E5E6F7112FBF5F2D858EF9DDA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001557683Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:02.048{5EBD8912-3BF1-6154-F904-00000000FE01}32244284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001557699Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:01.091{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-57232-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001557698Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:11:59.980{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-51449-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001557697Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:03.485{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-3BF3-6154-FA04-00000000FE01}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557696Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:03.485{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557695Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:03.485{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557694Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:03.485{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557693Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:03.485{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557692Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:03.485{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-3BF3-6154-FA04-00000000FE01}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001557691Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:03.485{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-3BF3-6154-FA04-00000000FE01}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001557690Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:03.486{5EBD8912-3BF3-6154-FA04-00000000FE01}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001557689Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:03.376{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66A4CDDD87ADDFEBE624E4E981D3A9F2,SHA256=04DBA65A2C91DDACD9ADD59F7CCE04F1AC35D93285C384EE910F403445627878,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463704Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:03.784{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F526542B1D602B69AFD1D179DCD647AF,SHA256=1DC77475695C39B4F3E4F59D23DE8CE1BE27F12C9597382991E8F34DEFCFA780,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463703Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:01.923{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51593-false10.0.1.12-8000- 354300x80000000000000001463702Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:01.324{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-56603-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001463701Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:03.065{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E29A3065118AE9F599D51AAD467BE1A2,SHA256=62EC7FB42A0E6EA7526B7AFF959E62AA044757A3137D0F63351C3FBF78F9B8CB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001557703Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:02.276{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-4405-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001557702Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:01.539{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65192-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001557701Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:04.376{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E8BD315894D46B0E3DA6E9EAA81C9B9,SHA256=38AFAB40D5B8AD32DED40CF3664BA69C0073CA95E59BF15E822DA3E700D007B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463707Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:04.894{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4D34401B0F0ABCA9EF7F31FA5D7768CC,SHA256=A62E2EAEE7A780A44FF1D643FE05AF9FDE21DEEE18F137C9F95A7A31A39EE4D5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463706Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:02.420{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-3491-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001463705Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:04.081{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=498712AA7AFEB3F41A672D3F5E118F99,SHA256=C3686959E2008147CC4C023B3DB88496182CD79583C2B0F0E880D4ABB262D140,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557700Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:04.048{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C1170BAF6922380B84C09DEABC2AF657,SHA256=B7BE614BD5F1CAF8069FC9B4B3DF43804FEEFE1C2D9D1E9F3EA94CB2CEE4D69F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001557706Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:03.428{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-10047-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001557705Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:05.376{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FB7ACB592209191A1FD0DD315AB1B72,SHA256=5A94BDED77EF49A4AFCBB3F04431740A8C61EAFED0A37F6BC9124AB904A45630,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463710Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:05.987{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=97067410420CC15F37A3E5F53D342F3D,SHA256=E57DAA8446A9A63C5F3DD96573C75D02BAD4F9B2C31E6D166C2C6FC81465B83F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463709Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:03.521{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-8737-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001463708Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:05.112{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8754EA9AD4FE7D5CC5858A85FC569380,SHA256=5CE3CAAFC95E195D1EAFB0EAA2D0B34059B536D9F94ADACF5FAA85CDCC17DFDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557704Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:05.188{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0BACCB6E138002B80B58594C7697919C,SHA256=C444D3661F359588B11C968D70BFDB7AB656809D5F29B61B62DEB7AAF54FD784,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001557709Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:04.601{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-16209-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001557708Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:06.376{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C0F3855EEBFF4AB6F34CECEBF2F7E485,SHA256=54680F2A053B10E7E487EFA98F62C3F9A5C109941E383A2D2725AACC60DACD05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557707Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:06.376{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEFF7D3901AFF678A8CE3232CAAD0579,SHA256=3F21B5C126D488C941E21921B726E8503578232F2A19317A1C6F10940D71682C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463712Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:04.620{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-14841-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001463711Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:06.128{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3106EF5224B99F2BE6DB12823A462CDB,SHA256=E69A15631001F8F7B2ED3259CC3CDA94D9EF07EFE499EC0B5D89F97BEE18D0BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557711Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:07.501{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A8791F54BF9A40956A08FD694F4521B2,SHA256=63741D04AE978A676E0B0D50B12DC987EE7266C27D844B7EAF41727CAAD602DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557710Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:07.376{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=881A9742453FEEE98BBF13313B90094C,SHA256=195342A6398BEE485B85F447A4803264F90D3DF26D210365EC4294945A52D764,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463714Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:07.143{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61E56AED7E43B51D1558CE584983CC02,SHA256=8CA22E7A6489364DA991B9D6021F65AFB5D05443DBFC2B924345FB1118469353,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463713Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:07.128{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2C68DF5D0492F3806B77CAB72B66E32F,SHA256=75E52ACB3288E398F2E7320E69D8097F0DA870266332562D07950E0EF9D236E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557714Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:08.628{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7579968D6EC68B32FBB5EC71382E75DA,SHA256=72F33C82904C222097362BED6F1DB5E6CB610132455B030CD28EF55114C4D860,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001557713Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:05.729{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-22165-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001557712Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:08.392{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB29A003B1A3FCF5361880D801E0DCB2,SHA256=B27BFCAB0B7BE96BFD9892004BC99AC5EE9238D4D235CA9FD646C0A1C432998E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463717Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:05.740{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-20505-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001463716Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:08.315{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B484ABD3138B4DEF0FDF2006D9882CCC,SHA256=12BEFBE76799ECAB0BEBD3DFE5101A79A4AC55B7801EFDE61C65D7DB83FF995F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463715Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:08.174{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DA36F09FD531B56B6540EF9C10E51B3,SHA256=C8259BAD4431C26D9CED3D0A544FD4AC416B53A3A818504267A7EA21ECADED3E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463724Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:07.308{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-59451-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463723Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:06.958{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51594-false10.0.1.12-8000- 354300x80000000000000001463722Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:06.879{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-26488-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463721Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:06.225{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-52489-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463720Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:06.201{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-52331-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001463719Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:09.487{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=475D5F3CF225A0E7612506207CD4BF22,SHA256=AF4D9A1E7BA88ADAAF9442E29D8A980A9BF5377369EC49654FA0D41E29425D53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463718Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:09.190{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D532916F597BC2176012615CA8BB479,SHA256=66EC89075EB65EB01A83710C70D1193FADC3DD5976BCC9090FF66EFF99666F10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557718Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:09.738{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F1F7203CE936E9039E1CA5F875E36465,SHA256=B4F546361B85815F3C59624711E95D845B9CA12DBC7343AC37AD589A05866A48,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001557717Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:07.523{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65193-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001557716Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:06.855{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-28372-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001557715Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:09.394{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA828EE50785108541F075A43E701409,SHA256=A4A8A4535CD88F69B963D4AA0B29BAEAC143D8B6AB05232D7ECBA329D6EA3633,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001557720Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:07.982{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-34214-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001557719Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:10.394{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F39FE4631CCC3D7430555AB4D8B96592,SHA256=643B64DD095671F74EA1C0FBE2AB892535846E2A633810950FB5A11CD8DDD1B3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463728Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:08.398{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-7085-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463727Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:08.088{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-32926-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001463726Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:10.581{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0004A528D3C6B8B857725BED23C719DD,SHA256=67AEC376F83CFBAED775B2A5A8FD5220B4F217CDCDCA340FFC08E87E2007EE32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463725Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:10.221{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02A75FCEB977322D89F4A285D0E01EF7,SHA256=7C24D4A84589CC28831CDF98605EB822D85982F02CEE2AFCDE45FC1B1A99E422,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463732Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:09.618{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-14672-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463731Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:09.214{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-39143-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001463730Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:11.675{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DEBD239D5D20AD6BDE31A99330DC1482,SHA256=4FC059DBFB59218E593A244A399A34DDE8C6E3244E812684E3E349FBDF082830,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463729Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:11.284{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=664FF6ED940DD150470FCF8F34141740,SHA256=9A0EF138B8A0EC84877F762AA1D1F03C45C1A68AB5D3C64E818E545517DF4C4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557722Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:11.394{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=294698106D11BA2A4EE23216F42046D1,SHA256=37AF7046057642FA46EECFA271E6A39E0F31A24E1915D9510E76006274CCF936,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557721Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:11.113{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=22F7BC04C2594ACBB87D659436C2B303,SHA256=6DB9F5E60E31E11A03A1A5E785D42968F8912E42B5BC64678901696113E632BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001557726Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:10.452{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-47214-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001557725Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:09.107{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-40507-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001557724Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:12.394{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D51DD5BAC908AE65AA29F0DAF3EFDC8,SHA256=A652FD3E43717E589EA31ACE9A981A2E093C259871118090CC7A840673B3E82B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463736Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:10.728{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-21785-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463735Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:10.309{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-44903-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001463734Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:12.753{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA758050928B11278CA9C2EAF327B439,SHA256=40D3BB57FF3770BFAA9625C8021C988ACEE5F9A11B5CAFD0826610CE73DB3E60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463733Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:12.315{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=132620538CAFCF47523F76EAE7C84814,SHA256=339766BE4831FD0647EC0E9CC89BA87ADE5026289210B7D19E510F7D1CAA9F41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557723Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:12.316{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F800C6C1703C7ED9D3F44EFEC0534B29,SHA256=C6F17E1286EC3FC8419495CC5C1D2A43C02CD32A54974C100E63160A8427B461,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463738Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:13.878{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7608FB406704F02C231296840A981F62,SHA256=10C21ED99FE70F0B9A34A588EB46C0E1217BB246DD8E3F8022A839D17E949A57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463737Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:13.378{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE7AB908DEE47EC987BCE4563D14FBD8,SHA256=0F824CD1EA78246C09319C1C02BE28E58488DAC77738E40375452430C0C58673,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557728Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:13.410{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCB4E8B44A662AA0C8BA5FE3DAB6DC09,SHA256=257F9AA71EF107BD524360E8164ECF822280F2ABF318F15AA3AC8228732D436B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557727Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:13.394{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=02CC32D813AE4981FB2549E0B4CB3FC2,SHA256=726A63AFBE46534836C3058E940D489EEA303FC70063F3A21A844DA00B39881B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557731Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:14.566{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AB879E49676644E287CFB4CD51FC1C16,SHA256=1381C5B696C71983FF07E8DFD4346B7BB512A9C5145EA02857C37169859D8C60,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001557730Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:11.654{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-53742-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001557729Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:14.410{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F95B20BF36BD89415EB1835582CB73A2,SHA256=CA02308E39FE05D8E7A78869771C3AE55ADAF2DDE2A52AA5F5FD2E21C542FA14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463741Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:14.487{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79B4B05A49CF48857EF32891F068AF0A,SHA256=BB80FC6A47B4A77BFA5AC75F63C4922971987A754F0E508A90B553AFC3F8DF04,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463740Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:11.832{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-28502-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463739Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:11.400{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-50261-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001557735Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:15.675{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EFB0CAB936F199903B9A0BF86E00563C,SHA256=7E75A1FD093C1DD74F598D76043782310936CD3432C44EB37E26F08DE6612D9F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001557734Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:13.463{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65194-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001557733Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:12.754{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-59329-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001557732Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:15.410{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4487397847CBFFFFF95B48D5952E601A,SHA256=67CF7DA29583260C787E4567074AF275BA0E38299269EB558C58A82D89BEB187,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463747Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:15.503{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46B55C9D91BB9F670275146A6BD50684,SHA256=27D4B720590C98E88B0720DF1B7818E2487D04A02AD18B33E8A5EA4BC08500CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463746Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:15.190{69CF5F33-1899-6154-1300-00000000FE01}296NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=9069A521BBE1E333CAD262B9DC5452B1,SHA256=DABBF3614FE3974A0FF965E9630D94A2485665E7DC58BE03FA8874A520DBACE7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463745Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:12.943{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51595-false10.0.1.12-8000- 354300x80000000000000001463744Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:12.936{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-35039-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463743Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:12.479{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-56318-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001463742Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:15.003{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3434734B84C3F84584E88580F0CD52C6,SHA256=8F5FFA88586B0D79F3C115E966751E6078AC063A78C0F1C7E35F5C9A10BFF732,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463751Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:16.518{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B7A14D64FB1FEA28143BDB54FA3F939,SHA256=38AC56295481190F6CF41B31496DBF852B016FF0C2FF69505AB42A04F795CEBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557738Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:16.785{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9DF973F648B49D7E9FC079841713F809,SHA256=D2B58D5701F442AA084A576291DE86F9308079FEAFE57B3A4F110511A89BA27C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001557737Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:13.906{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-6318-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001557736Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:16.410{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB69CC5B93482194143CB7F89E36FB1D,SHA256=FCF61B255B68747BEE1670CFF0B878D559E33AA098CEC53C81293E4264F83932,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463750Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:14.055{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-41902-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463749Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:13.617{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-3148-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001463748Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:16.128{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B49FA528F7B95AA26069363BF2BE7F4D,SHA256=13561F16DF5643B7C7C251F99F188DB5F9E1A49BAE6FAD8B3370F03B894A88A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463756Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:17.534{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56A7B3C450A0BAC65040A4AD2D389157,SHA256=1F14AB818F6B2DA936FD776DC73447536F8A739BAB2AF219ABDAB41410EFC3AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557741Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:17.863{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B44F78DF7BFC6549EE92DA500640A110,SHA256=DFE4AAEE02A3EB33605362B05600BAD682E4E3C9294895F3BC9BD4EBC6E5B59A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001557740Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:15.007{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-12110-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001557739Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:17.415{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6DE78A86496719042869BA44E4A0D39,SHA256=B5235B1262A80695B155BA22676E196DDF65D2D06B410C8F4B5564BE46418D40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463755Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:17.518{69CF5F33-189A-6154-1C00-00000000FE01}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463754Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:17.253{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ABA6EB198830311BBA2BB9C0C8CD6D96,SHA256=D5B3AFD54E17CD46EB8D6B01ED7E9CDAD14B8F79A0E88310F36E09E613267AB5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463753Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:15.175{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-49272-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463752Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:14.744{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-8644-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001463759Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:18.550{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29A381CB8939446F6836545037D330D6,SHA256=700E32E309D86E02FC0FA74D234B4A7321BA0692DC50252FA3EDDD74B74F149D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557746Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:18.988{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=42BB98CDF9E2BE9D502FE01D1EFB6E6D,SHA256=F2260FB34A051E9482E1E03D3351152BFDD9CE6E8661302041F2F84EB64AD65D,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001557745Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 10:12:18.753{5EBD8912-18B9-6154-2F00-00000000FE01}2408C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\8EFF07E0-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_8EFF07E0-0000-0000-0000-100000000000.XML 13241300x80000000000000001557744Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 10:12:18.753{5EBD8912-18B9-6154-2F00-00000000FE01}2408C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\C073BBA9-345E-4F58-AADF-98D983B75502\Config SourceDWORD (0x00000001) 13241300x80000000000000001557743Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 10:12:18.753{5EBD8912-18B9-6154-2F00-00000000FE01}2408C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\C073BBA9-345E-4F58-AADF-98D983B75502\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_C073BBA9-345E-4F58-AADF-98D983B75502.XML 23542300x80000000000000001557742Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:18.441{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89EA1488414E50D68512201683DADEB0,SHA256=E46CF8E7FA2227D57299C37A1947AE8E9F9846308884F27F5A9FECFF67D495C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463758Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:18.346{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E2AD8E2C42CAB9908C9E2EA5DF2F249A,SHA256=4E6DAFAC858347077FEB881B1662520838D0EEFA2C475B880A531EF0F112B6F3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463757Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:15.867{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-14826-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001463765Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:19.596{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3597AA89EB8EC649C54513CA99875CBD,SHA256=283E4325231B80EEE2B075EA93E1C37F0E88FEF8181D798B75D4C67E46D8EE90,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001557749Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:17.217{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-23636-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001557748Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:16.124{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-18137-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001557747Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:19.441{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F2117A44E03A20EB12DF1FAF858894E,SHA256=3E1313208ED10D221BA99294EED9045A2336D981F220D96D58C7D2C4FF396C85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463764Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:19.425{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C6FA411BB8BFB2C8E6454804E1A7C34D,SHA256=9DD79D79AA99BAF7CBD57B522FEC2389AB97870E3FF4A8FAAEFAB8201DA3A9EF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463763Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:17.416{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-4420-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463762Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:17.207{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51596-false10.0.1.12-8089- 354300x80000000000000001463761Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:16.979{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-20865-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463760Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:16.305{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-56217-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001463769Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:20.643{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=82D5BE5BCB8BD97821A8E2A094737D4C,SHA256=E76B346AED33A2DB8235ADED006D66536167D67F2805B14997E61D48B02A175F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463768Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:20.628{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE662DB65E54739FCE092964D0353A68,SHA256=C10B77D133FCDD4EDFF99DC035A8718291A5A26AA0B222AB7FCD0F124ED0953B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001557758Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:18.340{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-29714-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001557757Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:18.096{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65197-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001557756Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:18.096{5EBD8912-18B9-6154-2F00-00000000FE01}2408C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65197-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001557755Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:18.088{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65196-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001557754Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:18.088{5EBD8912-18B9-6154-2F00-00000000FE01}2408C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65196-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001557753Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:18.074{5EBD8912-18AB-6154-0D00-00000000FE01}908C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65195-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 354300x80000000000000001557752Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:18.074{5EBD8912-18B9-6154-2F00-00000000FE01}2408C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65195-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 23542300x80000000000000001557751Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:20.441{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=911A474435139AACA42DA9B8FEC482F4,SHA256=74F8ABC6FFD4064D4E1567091B739F6AEF08C8FFC961A724004FA02FD76E8AAB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463767Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:18.494{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-11153-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463766Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:18.073{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-26537-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001557750Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:20.113{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CC7CF412CC5F3C6D7B9492F8F79C97E0,SHA256=040DF2CA2D14FE5667C7FE355C046398432A238BC035C44D83FF4FF50CBE5B79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463771Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:21.721{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=42AC465F70026CC181CC95A919EC0F8B,SHA256=410BCBFDAF1632F1670297A116BC6AAD90A5E55FD6C32A5703C180CBD0602499,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463770Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:21.643{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76AF52C5EC66B8DDA9F328E2C1FF741D,SHA256=6C1EFC101CB0AAA4C2FE5D1C604640C600439881DBDA46D584193897CE9AEF68,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001557761Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:18.541{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65198-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001557760Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:21.441{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A18AA7F534481E37B12602EEEEAD6576,SHA256=8BE4131BA23D39095EB05A1706B48B57F9EE545912A904A2E4DEBC8653E11E7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557759Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:21.222{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1FAC0A7633B08D41689AF41EB7A6A790,SHA256=FC2BE0967C50C88EB77B7D298C04B6E0FA26E3AE75A17AF57D4A256C37A32D44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463776Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:22.925{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9B417F105891F7684CDEEDC2F15D604C,SHA256=0A18F4A22D0CB05001C514D27565DC42DE438ADD4042C1630706FEED38A49CE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463775Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:22.675{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53CF4263F2EE44397BC5D6AD4247E20A,SHA256=8E67D4A9599C0202D1755DAD9E640BCE4B089E5F06A5B804FE365031E089C4CA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001557764Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:19.466{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-35546-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001557763Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:22.660{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9DEBCE70B9CFCF1173E81E08E8DC298E,SHA256=8449F634CC03CA42C914C2FE16430478670203FB20EA6C1134E652A1A9AA1070,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557762Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:22.441{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E4D7902F50288E61A962FFCF4BF9E08,SHA256=6C009D763D1D3AD900D023712B3A4C14C9D939991ACEC25C234C663CA8E8DBFF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463774Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:19.584{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-18049-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463773Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:19.258{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-32676-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463772Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:18.941{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51597-false10.0.1.12-8000- 354300x80000000000000001557767Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:20.638{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-41270-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001557766Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:23.722{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C53C9163FC977C7E89742071F690E85B,SHA256=9ACE1AF7C63B239A5A7EBFDAC08BE064401D8138BDCA78863895FA2F67C2996D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557765Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:23.441{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D05720733A9ECD1C8340B67BF93036B8,SHA256=22039047E030939AC0982AA009E5A4EBBBFE0B41BF3244DBD9122E1442226D5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463780Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:23.690{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBC894174CDA5196BF565724DABCE171,SHA256=8921329D4BA92E4DBA219E6D1F8AAA948904E228171E7B61A1CE6ECA9EAE873E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463779Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:21.451{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-44256-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463778Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:20.758{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-25440-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463777Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:20.369{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-38573-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463783Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:21.960{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-33073-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001463782Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:24.691{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8461CF3C89E88752F60DA38C06113176,SHA256=378EB4513C181C67003BD4B8EC8EC63B8B1E3F0C79046106C47314999555FD99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557769Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:24.941{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1636EB7F5F3A815620F6CE4945E51A0D,SHA256=DE2CEB5BA74544C1A375398FAFA3C4BC7C9689993D883F0F0CBC010188E14666,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557768Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:24.441{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EA09B873748B8D5602EE6DDF7B00B2C,SHA256=14C758663543FE2DEF802F4C97AEB03519B1142BAA92389896DC7000881CDC73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463781Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:24.097{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CFA37BFBFABD1C8FDA5A04C016DF885C,SHA256=81CA3EA5EC2854F1BA9AA3274711D71E70775191FD3DD005D7AA5BBB59CD473F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463789Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:23.174{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-33774-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463788Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:23.135{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-33601-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463787Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:23.071{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-40372-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463786Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:22.650{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-49570-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001463785Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:25.706{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F8063C2CBB7E90D06D0DD07B1101D13,SHA256=3BB4199EDD189A856BDCC93A4F39E974C769DEB21169FC9FD3324F36F1958D6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557772Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:25.957{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D8F75DA0C43E5435CB75488ED67362C9,SHA256=18DEB63162C10778E1604DC4E794EBCD5AAAA751570E5F44EEC84FCEDA6BD0D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557771Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:25.441{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FB033C83F55555CE55739BB72937C8E,SHA256=4FCFCE9ADBB30E01332A253A6B501C9BCBE230C63C92981C43161A9F02AD375F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463784Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:25.362{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=32E34C412C7C2D1C4DD6D73ECA913A34,SHA256=BCBAD412E3D0D8F87DA6A05495FAEA0162C12EB4003C15CF9A2B940A5742F789,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001557770Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:21.999{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-47828-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001463807Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:26.815{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-3C0A-6154-BA04-00000000FE01}1052C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463806Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:26.815{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463805Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:26.815{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463804Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:26.815{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463803Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:26.815{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463802Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:26.815{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463801Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:26.815{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463800Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:26.815{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463799Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:26.815{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463798Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:26.815{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463797Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:26.815{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-3C0A-6154-BA04-00000000FE01}1052C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001463796Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:26.815{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-3C0A-6154-BA04-00000000FE01}1052C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001463795Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:26.816{69CF5F33-3C0A-6154-BA04-00000000FE01}1052C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001463794Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:24.446{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-41359-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463793Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:24.150{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-46956-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463792Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:23.942{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-55958-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001463791Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:26.722{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=969D8C423C37B2F79D1809AD04B5133D,SHA256=4BECEC36E241DFCD4D39B0F32FF722F1D9F766E4B9BCF082C2B1F4B47A76B45F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557775Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:26.441{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2900310CC65555B7393AF6082E979B19,SHA256=7B1256F442AE741747B1F6DFB9608DD8B1C11CC2663150BA2436A28675846FAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463790Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:26.503{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=68D76135F11693F96B08C7AE384E6E46,SHA256=06EAC5A9CA04CAF456EBBDB1865EF8970EB86CEB4794FD9236DA1BEB75D6BB35,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001557774Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:24.203{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-59777-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001557773Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:23.092{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-53787-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001557778Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:27.441{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C096962F89464D6F2DCD9572CACA5D18,SHA256=96DF7140D9A86F9A9C447A6B6A832EB3C4FAC3E6499C2F3C7FA2A328135CECCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463822Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:27.643{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C8C734F99F0A960EB9EEF398AB982F43,SHA256=B4BE2197318C7B414E4B6259B4D4191DC9C2CBC4C078A8FD05D4AEDFDA3AF986,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001463821Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:27.534{69CF5F33-3C0B-6154-BB04-00000000FE01}8041680C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463820Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:27.315{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-3C0B-6154-BB04-00000000FE01}804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463819Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:27.315{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463818Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:27.315{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463817Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:27.315{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463816Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:27.315{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463815Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:27.315{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463814Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:27.315{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463813Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:27.315{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463812Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:27.315{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463811Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:27.315{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463810Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:27.315{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-3C0B-6154-BB04-00000000FE01}804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001463809Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:27.315{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-3C0B-6154-BB04-00000000FE01}804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001463808Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:27.324{69CF5F33-3C0B-6154-BB04-00000000FE01}804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001557777Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:24.417{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65199-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001557776Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:27.035{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A39576C4EC8EABF2D44B1406645783B8,SHA256=03221FE8BF1EAC875EF5F7FEC133837EBCA6F4D56B26996E1D59285E5B7F2949,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557781Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:28.441{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89AFA07C87B9F8CA17C53B866831D954,SHA256=C59B4C82D5EA05B7FD04A64BEF5AC7D41791750D31ED9F4C2D956A254E00C70B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463830Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:28.800{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EB3582BA55ED151996F79E46F8BF543D,SHA256=9EA6EF4934930A834C570406F17025C269CE981BECC58561D33B031553A6884A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463829Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:28.159{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA553D05A899654DC7E6F8AB792C6ECB,SHA256=FD64608E02F3F0645B1AAF6A103440D579A0E5ACD7428166CB7203A1806119C4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463828Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:26.423{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-1896-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463827Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:26.244{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-9450-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463826Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:25.524{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-48339-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463825Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:25.274{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-53976-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463824Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:25.114{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-3134-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463823Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:24.754{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51598-false10.0.1.12-8000- 354300x80000000000000001557780Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:25.296{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-5998-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001557779Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:28.160{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2E2E6F50AF44FB043D8AA06F75D2A5B4,SHA256=F1C22C432351FCE1881661B69EFE3182263A1E6CF262EB06CF2111461C339998,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557784Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:29.458{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=140F319C1CFABE314C702A241C72E691,SHA256=EE999D603D9EA3AAE891FA8587EA72145FAC7C5936891AA32DA18BE50B7192CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463856Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:29.893{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4EEE45B8C51F6B626686725D75F71FF9,SHA256=BF066D947A8770489268B3A9E460EA61C243634E76082F2E21AD341DCA0B423F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001463855Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:29.565{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-3C0D-6154-BC04-00000000FE01}2712C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463854Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:29.565{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463853Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:29.565{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463852Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:29.565{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463851Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:29.565{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463850Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:29.565{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463849Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:29.565{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463848Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:29.565{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463847Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:29.565{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463846Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:29.565{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463845Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:29.565{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-3C0D-6154-BC04-00000000FE01}2712C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001463844Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:29.565{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-3C0D-6154-BC04-00000000FE01}2712C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001463843Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:29.566{69CF5F33-3C0D-6154-BC04-00000000FE01}2712C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001463842Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:29.159{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=614D015AD570AF550FC3858367F6D55F,SHA256=E37EAD74780F36077BBDF1D1E2D706A4D98A5F2437CCA713BEC690DA84B115E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557783Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:29.286{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AC22F57A7B31C6401C60A134968879D1,SHA256=7DD20CC2B7DE03CEC09EFE2F94410F9AB3A2D18009527F4B875A30313F0D4AD1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001557782Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:26.388{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-11922-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001463841Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:26.708{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-55666-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 13241300x80000000000000001463840Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 10:12:29.097{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001463839Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 10:12:29.097{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x008a8ec3) 13241300x80000000000000001463838Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 10:12:29.097{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b512-0x2065d7e0) 13241300x80000000000000001463837Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 10:12:29.097{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b51a-0x822a3fe0) 13241300x80000000000000001463836Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 10:12:29.097{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b522-0xe3eea7e0) 13241300x80000000000000001463835Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 10:12:29.097{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001463834Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 10:12:29.097{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x008a8ec3) 13241300x80000000000000001463833Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 10:12:29.097{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b512-0x2065d7e0) 13241300x80000000000000001463832Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 10:12:29.097{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b51a-0x822a3fe0) 13241300x80000000000000001463831Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 10:12:29.097{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b522-0xe3eea7e0) 23542300x80000000000000001557787Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:30.474{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2404B04C6A123F71A220F2E0AEB21C29,SHA256=D17B68A7F071808A1EF5FDF6D70E2C00CA0366913D553AD51B1E8A07D6EBF935,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463860Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:30.987{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8ED46125CE2EED3F0D7B3C205EFC15B4,SHA256=7D3D9AC087D877A862DA6BB5A6A8ABE596E532BF0D93D5DE56CE270ADEB2B773,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463859Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:30.175{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB8473A719CF96E094823526BF62FE83,SHA256=8D890E8EA7687D287BABDDE734AE6705FD09F19D890CA407269A324B2E3F5868,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463858Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:27.557{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-8989-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463857Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:27.394{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-15107-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001557786Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:30.365{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=16915C0CFD60213D66313CFB52AE1C91,SHA256=A28294B2C6311D812A40BE53558911534ADAE7CAC6786DC31903C32FEFA0B56C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001557785Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:27.513{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-17796-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001557790Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:31.474{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FC2DDEA51602C21ABA1601DCFDB01ED,SHA256=EDC4EC988E047C8A53880BBAE23790DF5B2965D193218D49FD4F9B7DF67EA5BC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463865Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:29.025{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-11365-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463864Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:28.679{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-15856-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463863Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:28.537{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-21395-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463862Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:27.928{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-4392-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001463861Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:31.190{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EA55B8DA0DE88116CE1913A43B6DE94,SHA256=04427DA3EBA613F02C76330CEB216F32EE9C1CF22D8DE91D06364356A13A5C78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557789Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:31.443{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=59B5E08DCF189D95D349AE93B9836B6E,SHA256=1ED189F6B4C463DCC06828C4317302BD4F2897BE36BB54EBCCC6897BF0ED7C3C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001557788Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:28.628{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-23738-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001557795Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:32.724{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=73A2A71560F1C976325BCDC5176434C9,SHA256=7942D104C78413A8C12C1F42A420C733149FE71FFFA0F295DE6D6B4756E89D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557794Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:32.708{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF6AF20A80A1169A76105AB61CB538D3,SHA256=F348A8D5D83415C09C60AAF42B813CFA32E9BC452145D4DA92BD7B083528B402,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463871Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:30.103{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-18323-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463870Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:29.941{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51599-false10.0.1.12-8000- 354300x80000000000000001463869Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:29.822{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-23114-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463868Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:29.636{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-27420-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001463867Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:32.190{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E9517576E47C5A5E28BEE50BCF69F85,SHA256=1210924F69F78E427148A427C19FDEC91FD34BDBB02957D50EBE5CE0F0257B8C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001557793Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:29.704{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-29378-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001557792Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:29.418{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65200-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001557791Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:32.242{5EBD8912-18B9-6154-2800-00000000FE01}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210929074147-146MD5=A9A42281E5AC80C7384A9CB787C868D0,SHA256=3FA67950307563E8508E097058F58FAD833FFA00CAA097776E12802F7A654FF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463866Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:32.159{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=37FDD94CB0CF696138DA4EAE21FAFFC0,SHA256=726E3AADD7E932934E84504A3FD0AD0F4788CE1508A71610A8B0D5278A47927D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557798Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:33.722{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0AB52394523569C96F165C7AAEB3D27,SHA256=5F05EBE80C49288527AB3E5B12597D75DB38AC849D45A5661D92BF88BB77A16E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463875Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:33.472{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F53575C17EC8CEE903BE4120CB498035,SHA256=CAB71EA81C44D2FFFD97A1303DBBCDD132A4523E0296238820B6191DD27E0241,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463874Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:33.222{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=842B34AEDD37A1EA9CCD0A03A4DAA39F,SHA256=688DE0C43A65290FD767879502242598BA89DA74C15D3B4D769F19F8F6A57B7B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001557797Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:30.824{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-35418-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001557796Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:33.256{5EBD8912-18B9-6154-2800-00000000FE01}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210929074145-147MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463873Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:30.949{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-30115-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463872Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:30.775{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-33246-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001557802Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:34.803{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=048CBC53147A3B9902BA93EB1E795B80,SHA256=D37FAD3AD2BCE89432D1395BD5DCDD16EFE79A7F92AC5F3270D96B74E4D1BD17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557801Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:34.757{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C58D48C6E63E9A0F8A523E4D39FADA74,SHA256=2AF380B03444B8ACF1806DB3C55492A711CFB75F0A48DEC35E8055A079DBF63D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463880Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:34.581{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9366E0E0068E9AC9B1DE9EE56F6CE795,SHA256=3B7D410ABE5DCE47D106AE6A1DD8F79EA8866657FD737C5725BB664736BAB189,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463879Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:34.253{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A3C9CC2907FE335ED4ED977B91CC55D,SHA256=25C380E46EDF71077A3E6471755077D71390009A44CAB734127D5A5073304A5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557800Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:34.413{5EBD8912-18AC-6154-1100-00000000FE01}444NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=1B63DCDDEA7A0758979B4058E20F8BEB,SHA256=2A6D373E83271B1B7D88899B4DF54A931E04A2C584EE13BEDC628351DC6E4D29,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001557799Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:31.986{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-41075-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001463878Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:32.071{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-37257-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463877Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:31.885{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-39036-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463876Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:31.206{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-24718-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001557804Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:35.757{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6AC6A0D93B851F307AAFA82901DB354,SHA256=4F6C5C2658D202E89C9A777166D49E55F8603CBB04D23D142187A27C288F351B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463885Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:35.690{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=13ADD1BE07FB89C2C0600885FD8EE352,SHA256=CC3FB6CAB21C58E417D1A798059F6294F29721D706B838A44278E008BDEF755F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463884Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:33.229{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-45838-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463883Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:33.212{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-44509-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463882Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:32.336{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-31918-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001463881Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:35.300{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3427DF37E15E67678B768AFD8048DFDC,SHA256=7199DB86BE5DD1697E9D04659925185B84D7685BD28029E3B0764F4F735024DB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001557803Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:33.061{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-46745-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001557806Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:36.757{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F336607AC656F45D0AC39EF3F389A05,SHA256=FAE700B707248F7D5DF71C38D71BF82E2548EB6A4CADF004B8CD6097FC6D8C9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463890Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:36.862{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=069D9083DA11192CC5AB4E906366E248,SHA256=D94A71E93DD2C83D86F2F5AD5548B99E96812E08A289251D033F27B553430C18,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463889Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:34.352{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-51707-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463888Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:34.313{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-51836-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463887Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:33.525{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-39218-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001463886Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:36.315{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B04308B66B20BF8A7C8795258F37627,SHA256=4BFCB8D166262E62143469A96A57EA39F85AE95B0B105D165D64C85DB3C80AF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557805Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:36.210{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BB031EEAB62BDADF0ECC6F3B9CFB1866,SHA256=28DC3B880E2C9699361777025FE2DBFEA92ED18D00291594F83B172EFA64D493,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557810Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:37.757{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E786E80466247FB4E8131FEBFE4967A,SHA256=1809DAAF66BCBE9D6C91D332FA28AC920158B87FA3CFC71F9B57F9D4DEC421FA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463894Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:35.544{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-59202-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463893Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:35.431{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-57158-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463892Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:34.602{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-45967-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001463891Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:37.347{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C9F6B8BF60CA116B9A2EF68128CB28E,SHA256=BB392D5A84646CEE7A5CCF7A913965498AB716E00107027FB631F98FF9296AAA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001557809Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:34.435{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65201-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001557808Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:34.252{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-52907-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001557807Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:37.382{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA7BB59984CD86D4C315589E064A77DD,SHA256=29D47BA63C332B65BDC996B9ADAA37A7301E5A9651BFDEA3E3D57421023B4438,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557813Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:38.757{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64246A1BB45454A8A9A1A4D555A922CF,SHA256=B44785480DBE84569A2C09226E5C6F1DC7DAA0CD7B8F039E0961F614A21E9C6A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463899Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:36.604{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-3993-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463898Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:35.769{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51600-false10.0.1.12-8000- 354300x80000000000000001463897Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:35.706{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-52771-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001463896Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:38.362{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62E101CBF1320820959B5C29B151DF05,SHA256=4603485CB4FFB47A455632D5333717783004414849518A67355507932CB0917F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557812Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:38.460{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2772A0033B57E7A67DF5ADF144C1EA15,SHA256=905DA0BEB8FD1E84F815AB977917CB9F0F95283B3C792E90D9C2A4A87F3E4CDA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001557811Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:35.564{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-59149-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001463895Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:38.003{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=41CAE87CB813213B4C1A7584E2A88C2F,SHA256=9BDCF963280112FE69908ED869CCB47F141FC3721F4BAD0BD05CA85410B5B635,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557819Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:39.757{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=564934ED0905E53654CE000C640B1D93,SHA256=6B5A66B29B1268CF85DF8173DC9480F0B355ACFA7E4E75BE2AC4FF38299EB74F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463905Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:37.741{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-14277-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463904Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:37.730{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-10003-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463903Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:36.836{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-59884-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463902Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:36.637{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-7055-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001463901Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:39.378{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0FB6FF616B62042A1D321C6A7CCC8B9,SHA256=1F840CF354EBA49DACDD53E23872EFBBCFEAB30F6753DC11FD323B02BB3159CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557818Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:39.538{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=490DC51DC169E90CEE8C408F49DBD785,SHA256=8C70B08ED78896EB243CCCCB0B8EAD7534AC446E4F8F64828DFB65A0144059C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001557817Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:36.721{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-6646-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001557816Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:39.100{5EBD8912-194F-6154-A100-00000000FE01}44725280C:\Windows\Explorer.EXE{5EBD8912-3BE4-6154-F304-00000000FE01}5712C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557815Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:39.100{5EBD8912-194F-6154-A100-00000000FE01}44725280C:\Windows\Explorer.EXE{5EBD8912-3BE4-6154-F304-00000000FE01}5712C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557814Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:39.100{5EBD8912-194F-6154-A100-00000000FE01}44725280C:\Windows\Explorer.EXE{5EBD8912-3BE4-6154-F304-00000000FE01}5712C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001463900Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:39.081{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ABAD0BF02BABB8D60AE4441AE15BA0EC,SHA256=8209AA334156F6C32B89D4F663797868EA7679CD828F0B8619556DC9903A6C08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557822Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:40.757{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF272F6848740D85426E374ACA78C101,SHA256=5EBB7A5FBCEA9577AC2002A6A7CBD1B72B19A243A497E1C8827B5888D423664B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463910Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:40.425{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A56FA712C97A4949D9511469E936117,SHA256=F5494FD3535CFFB566F5FACE691B7591C093746F6A2885AF80314369AD810982,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557821Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:40.679{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=701B556A04E047CA6C657040482F2886,SHA256=F8C5ADC48A3AEB44C424ADED2D882154C9ECD8710DEA617670FE7E7524AFB57B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001557820Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:37.801{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-12218-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001463909Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:38.883{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-21213-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463908Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:38.856{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-15867-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463907Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:38.020{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-8482-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001463906Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:40.222{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3E553D3686C625B886FFE75E0995F972,SHA256=26EF7D4EC805086749B5C5B04805150F5C7308368B2E49B23EA5F64F8479CBF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557826Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:41.804{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DF2B00F362397E00764CAE832E2B179B,SHA256=6E3AFE8DB642C72BF69CEBA5682829DD8335AD3F169D2438BBB4F07B9F3EF8F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557825Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:41.773{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE61D9E450505D2D222B1EA94069297A,SHA256=DC0A611F748489664F5359A7DD2E006411735EB5BEF64C1B2284EA3B32C8CDA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001463913Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:41.472{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A95A53CBCB721CAE9BB497E43E4D758D,SHA256=81013B6DA79FCCD9F617A049E18B430441C740D6F988CB9CD17E6060F119D878,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001557824Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:41.710{5EBD8912-18A9-6154-0B00-00000000FE01}640844C:\Windows\system32\lsass.exe{5EBD8912-1892-6154-0100-00000000FE01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000001557823Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:38.897{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-17660-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001463912Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:39.149{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-15357-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001463911Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:41.331{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C8A33EC5B11A67CEBF7B26F80D373145,SHA256=B681537F334A04A92CBED7273A3393794EC478D33BF92620F931864CED4D6010,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557840Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:42.975{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=32EDE4BFA3B4FC4181E08AAED6563CB1,SHA256=C168337068B781E2D731F8434E822A6543B325EE745716C4B3CA275C50599C8E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001557839Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:41.034{5EBD8912-1892-6154-0100-00000000FE01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65207-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001557838Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:41.034{5EBD8912-1892-6154-0100-00000000FE01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65207-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001557837Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:40.935{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-429.attackrange.local65206-false10.0.1.14win-dc-429.attackrange.local389ldap 354300x80000000000000001557836Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:40.934{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65206-false10.0.1.14win-dc-429.attackrange.local389ldap 354300x80000000000000001557835Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:40.924{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65205-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49666- 354300x80000000000000001557834Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:40.924{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65205-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49666- 354300x80000000000000001557833Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:40.923{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65204-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001557832Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:40.923{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65204-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001557831Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:40.922{5EBD8912-18AB-6154-0D00-00000000FE01}908C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65203-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 354300x80000000000000001557830Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:40.922{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65203-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 23542300x80000000000000001557829Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:42.788{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C63CC2CA1C97216484FFB964EA5FCCB5,SHA256=C6C0D9B8AE922BDDB2A068A04DE5ACD19DCBD2C0E27C669CEF1BB296174B3484,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001463944Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:42.940{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-3C1A-6154-BE04-00000000FE01}3800C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463943Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:42.940{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463942Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:42.940{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463941Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:42.940{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463940Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:42.940{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463939Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:42.940{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463938Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:42.940{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463937Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:42.940{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463936Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:42.940{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463935Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:42.940{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463934Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:42.940{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-3C1A-6154-BE04-00000000FE01}3800C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001463933Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:42.940{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-3C1A-6154-BE04-00000000FE01}3800C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001463932Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:42.942{69CF5F33-3C1A-6154-BE04-00000000FE01}3800C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001463931Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:42.769{69CF5F33-3C1A-6154-BD04-00000000FE01}36404040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001463930Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:42.472{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A90AFD1BBF68C50E6AD6A963A7591351,SHA256=20E5E38BBAE3C42CE6E199588A9ABB401B701FAE3FE871521EE2EDF8C0F730F3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001557828Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:40.341{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65202-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001557827Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:40.025{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-23626-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001463929Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:42.425{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-3C1A-6154-BD04-00000000FE01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463928Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:42.425{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463927Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:42.425{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463926Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:42.425{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463925Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:42.425{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463924Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:42.425{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463923Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:42.425{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463922Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:42.425{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463921Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:42.425{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463920Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:42.425{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463919Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:42.425{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-3C1A-6154-BD04-00000000FE01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001463918Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:42.425{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-3C1A-6154-BD04-00000000FE01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001463917Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:42.426{69CF5F33-3C1A-6154-BD04-00000000FE01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001463916Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:42.409{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EB52744FADA7184F448DEBB0B8439992,SHA256=12E2DE31FB72C03A69EC292F3952690BE327EE066A94FEF33A4FD6DCB8E5584F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001463915Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:39.994{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-28550-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463914Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:39.952{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-21806-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001557843Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:43.835{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F52049BE4CA8E1CF127D8AF01974524,SHA256=CDF521F5B496771D91B4A05AAB785F1B3CC0F09F0D6EA12552D147F3B5C97238,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001464021Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:43.940{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-3C1B-6154-C004-00000000FE01}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464020Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:43.940{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464019Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:43.940{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464018Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:43.940{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464017Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:43.940{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464016Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:43.940{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464015Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:43.940{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464014Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:43.940{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464013Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:43.940{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464012Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:43.940{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464011Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:43.940{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-3C1B-6154-C004-00000000FE01}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001464010Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:43.940{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-3C1B-6154-C004-00000000FE01}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001464009Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:43.941{69CF5F33-3C1B-6154-C004-00000000FE01}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001464008Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:43.675{69CF5F33-3C1B-6154-BF04-00000000FE01}2448408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001464007Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:43.644{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=568F5A326C584406BEC14FD19B08F149,SHA256=06CD814778924FC963A03F8FFCB0FF99BBF66D1C4DB02A5C8EA7133AD2A0FDA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464006Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:43.628{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BF6D7F741B190A4B124A7EBD8B8CCB0,SHA256=04924118788F1D564BC21D4F8DBFA4C4F2DA81229ADFC869E1C2853A5CAF1037,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001557842Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:41.378{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse210.245.92.42-49536-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001557841Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:41.158{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-29870-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001464005Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:43.456{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=787BC7BD995864B8587CDDC2ED5CE5AC,SHA256=453EC3121E5094B7FE9766139C864754781E3AB863AE7C387FE489770930052C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464004Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:42.052{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-40931-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464003Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:42.030{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-33511-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464002Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:42.017{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-40725-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464001Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:42.008{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-33363-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464000Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:41.986{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-33019-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463999Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:41.982{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-40428-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463998Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:41.947{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-32928-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463997Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:41.945{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-40286-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463996Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:41.921{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-32824-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463995Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:41.898{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-32622-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463994Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:41.889{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-39902-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463993Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:41.862{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-32425-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463992Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:41.825{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-32158-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463991Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:41.799{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-39326-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463990Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:41.788{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-31867-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463989Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:41.757{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-39243-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463988Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:41.749{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-31466-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463987Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:41.712{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-39125-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463986Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:41.690{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-39001-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463985Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:41.667{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-38759-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463984Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:41.632{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-38525-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463983Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:41.598{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-30738-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463982Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:41.595{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-38210-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463981Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:41.575{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-30616-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463980Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:41.556{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-38046-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463979Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:41.553{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-30425-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463978Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:41.534{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-37816-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463977Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:41.516{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-30320-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463976Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:41.499{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-37675-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463975Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:41.495{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-30116-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463974Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:41.477{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-37413-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463973Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:41.458{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-29959-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463972Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:41.438{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-37202-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463971Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:41.436{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-29825-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463970Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:41.413{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-29674-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463969Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:41.405{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-37057-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463968Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:41.391{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-29403-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463967Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:41.381{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-36843-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463966Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:41.344{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-36607-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463965Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:41.307{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-36385-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463964Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:41.270{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-36207-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463963Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:41.233{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-35947-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463962Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:41.157{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-35534-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463961Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:41.041{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-27533-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001463960Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:40.879{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51601-false10.0.1.12-8000- 354300x80000000000000001463959Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:40.274{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-22461-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001463958Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:43.440{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-3C1B-6154-BF04-00000000FE01}2448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463957Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:43.440{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463956Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:43.440{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463955Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:43.440{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463954Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:43.440{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463953Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:43.440{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463952Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:43.440{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463951Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:43.440{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463950Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:43.440{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463949Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:43.440{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001463948Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:43.440{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-3C1B-6154-BF04-00000000FE01}2448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001463947Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:43.440{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-3C1B-6154-BF04-00000000FE01}2448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001463946Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:43.441{69CF5F33-3C1B-6154-BF04-00000000FE01}2448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001463945Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:43.206{69CF5F33-3C1A-6154-BE04-00000000FE01}3800184C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001464065Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:44.956{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=532498D1EB4A7945B67ACE5DCAFF0D78,SHA256=E10C70E399ECA283B388C8C4736F66D22E613D6ADE7AC576234F1ADEA1F3F8C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464064Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:44.784{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D73F523EEE1C4314EC93EB529BB9D23B,SHA256=7304879A7014E3148E86582E74B456127F23EF15E43803ADE5F753E88A4338C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557846Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:44.835{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EE330164F7269B3CCB85BD928645956,SHA256=7DD4E5B127936CEA22BA333C5A94CF45EEB5D64EA2E3D72488DE715123752D55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557845Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:44.382{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=80F2169F3BCE4323D4813377D3A0B63E,SHA256=435ED469D4A2CA53698D3673127A26394917811006A14CE80992ED1EB61811D4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001557844Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:42.481{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-36131-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001464063Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:42.790{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-38185-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464062Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:42.751{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-38046-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464061Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:42.727{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-37884-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464060Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:42.705{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-37712-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464059Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:42.667{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-37570-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464058Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:42.644{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-37321-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464057Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:42.607{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-37075-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464056Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:42.573{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-36819-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464055Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:42.535{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-36600-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464054Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:42.500{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-36433-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464053Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:42.474{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-36274-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464052Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:42.450{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-36016-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464051Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:42.412{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-35853-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464050Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:42.406{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-34484-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464049Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:42.388{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-35661-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464048Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:42.371{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-34287-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464047Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:42.349{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-35542-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464046Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:42.333{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-34072-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464045Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:42.329{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-42816-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464044Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:42.326{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-35255-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464043Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:42.307{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-42562-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464042Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:42.294{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-33870-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464041Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:42.282{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-35017-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464040Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:42.268{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-42371-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464039Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:42.256{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-33737-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464038Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:42.243{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-34829-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464037Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:42.233{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-33551-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464036Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:42.231{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-42279-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464035Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:42.208{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-42092-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464034Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:42.204{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-34644-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464033Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:42.195{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-33436-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464032Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:42.182{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-34428-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464031Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:42.172{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-41865-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464030Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:42.172{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-33242-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464029Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:42.148{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-34316-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464028Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:42.134{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-41764-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464027Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:42.134{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-33114-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464026Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:42.126{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-34167-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464025Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:42.112{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-41619-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464024Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:42.104{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-33927-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464023Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:42.089{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-41424-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464022Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:42.067{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-33664-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001464067Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:45.815{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71B9D5D597356ED1FE4D678B6D8CAB2D,SHA256=90CBF0D2064E2EAFC154632D5CCDC966328DC435FA07A2E8DA00369DA50A4E4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557848Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:45.850{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B43A4DED9B8093C7D2D3F59E8699A0EC,SHA256=DB78C2BB6FAC28B81E2B1CEBAF7AD10EF09644407FCEB9CCF729ABB0C7E12089,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464066Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:42.828{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-38414-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001557847Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:45.460{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7EA9461ED948AB5DCAFD2DC8F164EC73,SHA256=E8CC46D60C926BE503313632FFB79D2B051716B584002A40DDD2F2A5C42B4FD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464068Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:46.847{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F0C04A67C801440FC1046985FEE1D8B,SHA256=0E3E9F681D3E08C491B658A7A0F9F51E41B669D0F950EFDF5B88B93F82592504,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557853Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:46.632{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6E59228B9DC9F70D71E0FC5FFECAC1CF,SHA256=396A5F6B5FA2AC3AEA66289F618C98B9C9962CFD8031D5C4C82E43EB5D32B6B5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001557852Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:43.721{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-42901-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001557851Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:45.991{5EBD8912-194F-6154-A100-00000000FE01}44725280C:\Windows\Explorer.EXE{5EBD8912-3BE4-6154-F304-00000000FE01}5712C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557850Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:45.991{5EBD8912-194F-6154-A100-00000000FE01}44725280C:\Windows\Explorer.EXE{5EBD8912-3BE4-6154-F304-00000000FE01}5712C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557849Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:45.991{5EBD8912-194F-6154-A100-00000000FE01}44725280C:\Windows\Explorer.EXE{5EBD8912-3BE4-6154-F304-00000000FE01}5712C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001464069Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:47.878{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCB2921D6247374926C4389464531A53,SHA256=AE37E5A92EEA9630572B44EED766FC67C1B0930A3480B480F8A8790496F93E5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557857Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:47.757{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=469C0AB9C19BE710E6DAB4281878B888,SHA256=F059478F29BDFA1C74C641B012B45B04663E522D32EDC31052C635DED23F5635,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557856Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:47.569{5EBD8912-18B9-6154-2900-00000000FE01}2960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001557855Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:44.807{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-48638-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001557854Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:47.022{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B31342E8FC01FAC8A82DFCBA816F5D96,SHA256=FA4E1CA400B6E65E78B67759E73FDFD4E0D6B72F3D142959DDAC7A1A01E628F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464071Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:48.909{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3338503FE85CFF0B456930948F1C5CA,SHA256=CE81BD46B3033D06574B960DD1F672710B0D6FC48D2FC44E0C852AB51A725C6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557862Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:48.868{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B58BE9CCF1F60EBC5CBB87D56F423AEF,SHA256=3CF9A8CB8F6C9144D61B45EBF62C1C694E736E93F0CA55DA30AF014BB0E1D797,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001557861Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:46.357{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65208-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001557860Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:46.351{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-11384-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001557859Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:45.972{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-55046-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001557858Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:48.132{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9377143CC2F5810CAFD3B1C127EB5E58,SHA256=84AB0279A32D6AF24649A396B617C3A70C2F806D972BA9419B56CD514BEE5CEA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464070Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:46.863{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51602-false10.0.1.12-8000- 23542300x80000000000000001464072Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:49.909{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46460A0824FEDB6235B2125785504807,SHA256=949C2E942A3B3044F2CC849A8C4AE26730931D4432451071268C560C0FBC5A66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557874Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:49.993{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AC1E5336A587ACD5EBC834FE16A8E661,SHA256=33109033495C675D0E7F49137E5B0414840DB9FA823D35D8B2D8D0C8213CAD62,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000001557873Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1088DeleteValue2021-09-29 10:12:49.680{5EBD8912-3BE4-6154-F304-00000000FE01}5712C:\Windows\regedit.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy 10341000x80000000000000001557872Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:49.680{5EBD8912-194F-6154-A100-00000000FE01}44725280C:\Windows\Explorer.EXE{5EBD8912-3BE4-6154-F304-00000000FE01}5712C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557871Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:49.680{5EBD8912-194F-6154-A100-00000000FE01}44725280C:\Windows\Explorer.EXE{5EBD8912-3BE4-6154-F304-00000000FE01}5712C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557870Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:49.680{5EBD8912-194F-6154-A100-00000000FE01}44725280C:\Windows\Explorer.EXE{5EBD8912-3BE4-6154-F304-00000000FE01}5712C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001557869Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:47.394{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-429.attackrange.local61975-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x80000000000000001557868Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:47.394{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local51184- 354300x80000000000000001557867Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:47.394{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local51184-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domain 354300x80000000000000001557866Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:47.111{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-2077-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001557865Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:46.890{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65209-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x80000000000000001557864Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:46.375{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-11637-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001557863Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:49.134{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=326C52832EE0C31E6217FC8B56C6FF9C,SHA256=745A472ECE3C6BAE302F22F5765B793A615F4D1647BDBBC48AB54842E66E822E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464073Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:50.925{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=381676E2FCC3288314687C7614919D88,SHA256=B5860FFA20A405164E85E1568ACDABFFA8ED3E4BE8C83B97EAF315A3003F2400,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001557877Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:47.457{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-18503-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001557876Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:47.397{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-429.attackrange.local65210-false93.184.221.240-80http 23542300x80000000000000001557875Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:50.165{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6834A37984E75BE9341185633163FC2,SHA256=3F9B755777B33EB4927F2510DF90D52E8E68D52902C42724CCB325A01ADDD299,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464074Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:51.941{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=637673BB13588FC7FB5847E153737028,SHA256=9182DE710961558D4D76322AF41444777E05EDF2A75CE14AC11E8F7041333962,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001557882Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:49.333{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-13702-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001557881Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:48.534{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-25185-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001557880Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:48.222{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-7736-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001557879Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:51.180{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F193F1EE3AC34D14C438856F52AE7BC7,SHA256=C664FA4457F90E5C59F1BC9F715BBC8C46B663222204BC2C615FD04EDBA726FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557878Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:51.165{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4EA884B54036283112026408F2249661,SHA256=F386C04A31A0AB8FF79E8B11FB6B3D901F8AB625B79DDD598F7510506467B0C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464075Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:52.956{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE4E2D73B2897CBD358DF7F5666BF3D9,SHA256=C86173130E7934DD42AAE5379ADA0B60F59BB6668619FB65A8BE3404B97D6310,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001557886Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:49.640{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local54196- 354300x80000000000000001557885Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:49.613{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-32137-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001557884Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:52.243{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95D09C58547E4DA33B2A96F7EC1CA1EE,SHA256=92183497F8E7F8369F9B259A1BCCB84F50E5D92B46382E085B1C841AE0C392C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557883Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:52.243{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3E9AE8B17C84C148520CF61F9A2FC025,SHA256=4028938322E16416F5B9531DE536AD0C985E4ACF3CF479D5DDF40D4C8861DB82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464076Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:53.972{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4730E763E06919646663B83D8557FB5,SHA256=D9EB51D321EA9F626ACD5CEA83563ED36882095AF51BA621AD15744313CA8E9B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001557892Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:51.596{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-25568-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001557891Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:51.546{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65211-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001557890Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:50.691{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-38777-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001557889Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:50.504{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-19798-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001557888Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:53.462{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7212159302E57DD6AAC6164563AE4071,SHA256=CBBEDB38548F82F59175E1A257F719A60FCF3BF5E8128E269E85113526ECA43E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557887Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:53.368{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CE4C8045AA2BA3A695F32C66BDCF59FF,SHA256=E996341A6FEF9174EBFEA6AB31CDDC1108303480E056D5473900085E6D4471CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464078Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:54.987{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=901BBB38ECA1186BC16531AC83BBB183,SHA256=6368835C27D75C9414A843E11345A2953669937DECA250164CCB849A36E7B123,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001557895Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:51.770{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-45427-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001557894Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:54.462{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4C0B803235FAE7E474184426A87B5AB9,SHA256=BEF2F5107A5C6FC12BF6969D350712E31A14F290EFB525FD832B1019F56B952E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557893Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:54.462{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=921387C722E8543F5DD2D099886C6082,SHA256=EA44B8F1A1D61BFEE73C47146EF2587ACC961F5780994CEA197C67320AD31D4A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464077Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:52.785{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51603-false10.0.1.12-8000- 23542300x80000000000000001557899Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:55.868{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=88C8B288FBD30CE3858C142BA7A50D4C,SHA256=5D8E1FFFDC3AA5FAFE8E3E3AAFFD872DC03646E0DC5CC1969DEC9AA6E96ADC62,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001557898Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:52.973{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-53031-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001557897Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:52.707{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-31531-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001557896Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:55.462{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41678BF5388E1383659DCA53EDC54F80,SHA256=7CABB31462B49C8FAEDE92CBB5140C1BCC4B668D23A149A712C4129D1CA6EE62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557911Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:56.946{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=21D9034FC886D97D92927E1994326ACF,SHA256=13E1979681B376FCD42E3E8F9C1AD61876E83A96A13C5AE0A66B4BC7A6BA5C49,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001557910Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:56.868{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-3C28-6154-FB04-00000000FE01}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557909Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:56.868{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557908Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:56.868{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557907Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:56.868{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557906Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:56.868{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557905Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:56.868{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-3C28-6154-FB04-00000000FE01}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001557904Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:56.868{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-3C28-6154-FB04-00000000FE01}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001557903Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:56.869{5EBD8912-3C28-6154-FB04-00000000FE01}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001557902Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:54.103{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-59905-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001557901Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:53.966{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-37755-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001557900Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:56.493{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFC2868EA1AE0304C8A6E0DE70F39106,SHA256=73CB83B5916C57B771D7CCB9B94F3146FCDEB55FF686001F72EDFDBCB8FE0504,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464079Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:56.003{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4E451D49CF55E12AF112F16CCA256A4,SHA256=104FA43120761A41C31C98F544546D5320CEAE76261CAD22F990C95F41B7663C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001557923Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:55.287{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-44226-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001557922Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:55.210{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-7963-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001557921Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:57.540{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-3C29-6154-FC04-00000000FE01}4844C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557920Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:57.540{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557919Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:57.540{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557918Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:57.540{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557917Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:57.540{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557916Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:57.540{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-3C29-6154-FC04-00000000FE01}4844C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001557915Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:57.540{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-3C29-6154-FC04-00000000FE01}4844C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001557914Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:57.541{5EBD8912-3C29-6154-FC04-00000000FE01}4844C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001557913Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:57.493{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37255A952CC9E2E28126B46392963F7B,SHA256=C420192F24019E7541EC7961B1EB4D588C0298CC43C462CC450BE8397B096E0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464080Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:57.003{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1C83FD34FDAD5F13463014040AE28A6,SHA256=35971B0A6653ECCF5E6D0E90413D149711014E2A9E7C7CA4555184FCBDE8CCA7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001557912Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:57.071{5EBD8912-3C28-6154-FB04-00000000FE01}56401328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001557935Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:56.417{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-50348-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001557934Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:56.301{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-14893-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001557933Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:58.493{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96B5186F8F9361EC05D7B6E17221B786,SHA256=B35B94A6B381F055B0A328854FC177DB46FB5CEC0E5B311A02EA242C9B512AD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464081Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:58.019{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=535344F34AAA79E348C673216E31224B,SHA256=825A0383211900576C7AF3A8D6623E61FF9EACEF4D832338AA38D77ADEF6F4BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557932Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:58.071{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A2DC17E7C5B42E3BE70A3C696FB474F7,SHA256=B1BD1A122C85BD35D15E79BA6C99DA39EC99FEE9593E4E333521B1B561093A29,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001557931Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:58.040{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-3C2A-6154-FD04-00000000FE01}992C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557930Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:58.040{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557929Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:58.040{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557928Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:58.040{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557927Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:58.040{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557926Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:58.040{5EBD8912-18A9-6154-0500-00000000FE01}4165172C:\Windows\system32\csrss.exe{5EBD8912-3C2A-6154-FD04-00000000FE01}992C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001557925Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:58.040{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-3C2A-6154-FD04-00000000FE01}992C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001557924Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:58.041{5EBD8912-3C2A-6154-FD04-00000000FE01}992C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001557939Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:57.424{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-21917-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001557938Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:57.375{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65212-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001557937Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:59.493{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02128136148983E7A6E3FB2EF57B714D,SHA256=B7B136082E32FDAF3828BD25CE7B397C17A117349998A441459B103E52269041,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464082Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:59.034{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C01235346F66B02CE290FBAF3568F0FA,SHA256=009DFE9CA1C382F8C89EC99809CF794F6F462767A392F135BDD9D5839E848C0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557936Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:59.196{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=77609BC09CE34DABCB3BA951535D9825,SHA256=A84B0AA2C9731536442DE503274164C989B3BD2F71FE5FD935A41E489B95DC83,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001557951Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:00.932{5EBD8912-3C2C-6154-FE04-00000000FE01}3643952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557950Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:00.759{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-3C2C-6154-FE04-00000000FE01}364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557949Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:00.759{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557948Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:00.759{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557947Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:00.759{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557946Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:00.759{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557945Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:00.759{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-3C2C-6154-FE04-00000000FE01}364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001557944Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:00.759{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-3C2C-6154-FE04-00000000FE01}364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001557943Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:00.760{5EBD8912-3C2C-6154-FE04-00000000FE01}364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001557942Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:57.669{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-56931-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001557941Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:00.509{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18701163785CDFF0F049960BF79AE8FC,SHA256=971EBF4B5503ADBD4B7A3DE171B1C568F8F766FB004F5E43B841BA5C2C4BD7E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464083Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:00.081{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BAF2537B2E0A4AB78319707CDFC88DF,SHA256=9730F26ED0D5F66A5AFCD563CE91642743C7ACAC58DC9B43E692FE6F055C1435,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557940Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:00.321{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B732E2105F07630819F0EB99852BF21E,SHA256=C032FD382B76EBE38EE826068FFB16B4CE8A1302107EE62DD5CF1302CB6E6A48,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001557966Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:59.660{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-35866-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001557965Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:58.820{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-3686-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001557964Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:58.550{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-28908-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001557963Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:01.618{5EBD8912-3C2D-6154-FF04-00000000FE01}3208720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001557962Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:01.509{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E71D3609A2878BD6535127EA6D88AF0B,SHA256=EA60B045E3B5EDE20EFBF97B08803949F5DE03F02A939C121765ABCBD9267D72,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464085Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:12:58.785{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51604-false10.0.1.12-8000- 23542300x80000000000000001464084Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:01.144{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1ECEBECE19AAC9BEB0BCA8499D70127C,SHA256=04AEE4D051ED50591F2BCD4242E67EEE51A656EE923102C32A16093B6A3A17BC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001557961Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:01.415{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-3C2D-6154-FF04-00000000FE01}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557960Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:01.415{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557959Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:01.415{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557958Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:01.415{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557957Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:01.415{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557956Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:01.415{5EBD8912-18A9-6154-0500-00000000FE01}4165172C:\Windows\system32\csrss.exe{5EBD8912-3C2D-6154-FF04-00000000FE01}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001557955Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:01.415{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-3C2D-6154-FF04-00000000FE01}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001557954Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:01.416{5EBD8912-3C2D-6154-FF04-00000000FE01}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001557953Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:01.399{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=28BDB54E8A00BC0C98D49035E8386C31,SHA256=CBB4EBCEB7359856A536403B01032994CC6D068FDFF5C3E3327C61E0DBA59ABA,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001557952Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1088SetValue2021-09-29 10:13:01.368{5EBD8912-3BE4-6154-F304-00000000FE01}5712C:\Windows\regedit.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy(Empty) 354300x80000000000000001557979Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:59.968{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65213-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001557978Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:12:59.968{5EBD8912-18B9-6154-2700-00000000FE01}2944C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65213-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 23542300x80000000000000001557977Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:02.509{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA45BC9377002009B79B7B9C7FDE0FFE,SHA256=47AACD2FBF032A3C54F8F556088A2EE1C3498D26A65F48152D6E97CC713BB550,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557976Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:02.509{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9D140305B90939C3D71A2473165F64B1,SHA256=C559239B01D71B37C673D85080EBD7BFCE03BF3D2AF9C604A65166D21FDB379C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464087Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:02.368{69CF5F33-189A-6154-1B00-00000000FE01}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210929074117-147MD5=0702FCA431B00B594F1E453E1BACB4E7,SHA256=E8701800C5303E9A26BD1B4295F1925FD873002633D318A1D6DD61AA6CF56A5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464086Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:02.177{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFBD4C7DFD26E7649D9FFFE2994E29FB,SHA256=C7FE2608EE3354AE1260307E0D3043DC19F51143A7DEDB068458C563F4FE88E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001557975Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:02.321{5EBD8912-3C2E-6154-0005-00000000FE01}51005032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557974Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:02.087{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-3C2E-6154-0005-00000000FE01}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557973Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:02.087{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557972Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:02.087{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557971Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:02.087{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557970Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:02.087{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557969Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:02.087{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-3C2E-6154-0005-00000000FE01}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001557968Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:02.087{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-3C2E-6154-0005-00000000FE01}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001557967Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:02.088{5EBD8912-3C2E-6154-0005-00000000FE01}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001557991Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:01.832{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-49383-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001557990Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:00.738{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-42451-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001557989Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:03.556{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=058D607634703E986BC4B25458AE0C11,SHA256=08EEDF9AB24239574BC31F83CB6CACFF939EB2E1BAD5279B3ACBCD8C4C955576,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557988Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:03.524{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EF89EC418BF02CADFDBF05D5EB22262,SHA256=602902C817427F2140C7C75574ADCE36511D7CB7D2ECACB1BA5D41EDF4F37BB5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001557987Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:03.509{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-3C2F-6154-0105-00000000FE01}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557986Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:03.509{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557985Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:03.509{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557984Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:03.509{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557983Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:03.509{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557982Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:03.509{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-3C2F-6154-0105-00000000FE01}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001557981Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:03.509{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-3C2F-6154-0105-00000000FE01}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001557980Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:03.510{5EBD8912-3C2F-6154-0105-00000000FE01}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001464089Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:03.381{69CF5F33-189A-6154-1B00-00000000FE01}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210929074115-148MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464088Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:03.208{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=041444BBC37144EDA117A226BE2E253A,SHA256=FA01418A6F2908379F3128DC733928468A46AD1C0627DE546440109EF878C25E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001557995Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:02.923{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-56500-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001557994Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:02.468{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65214-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001557993Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:04.681{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B7F0FAB896A676052CF9443ADE024715,SHA256=02956D512BEC438DD2CF5FFCCC9FD4F8C4B4EEF8E242252DDA48F2CB829C19A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557992Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:04.509{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B40BF955EF4CEBCC068DE4254A9E006,SHA256=F653D36D981C490FF4F510D48746E62D12DC17C41F01EC6B571D6DB469967126,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464090Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:04.210{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08A3D8E25ACE4DD0BA0BDD7DF0E1D6F5,SHA256=927C3B3BAC1AAACDFD50010282DF78C33D1900C85BE8BFF354CA203643A84678,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558000Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:05.792{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=11A88EC7AEBF94EEED91DDCC239A0794,SHA256=22CD2BD2A39143B9A54E95E722755AEE1230A5BD965146903F578097BB429950,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001557999Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:05.509{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADA2FCE825EAA67EB576450768C272C6,SHA256=A84F18C126BC4453E642BC38EB66C4C7021151FAAA0ED5070326C9AFC56B3647,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464091Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:05.225{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A3AEE9F4447E26EA1802C75C59CEDCF,SHA256=5C021673D73BB5E03DC56994CF5DAC289759B6FBB7366DEAEF414BC587D3B6DD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001557998Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:05.306{5EBD8912-194F-6154-A100-00000000FE01}44723384C:\Windows\Explorer.EXE{5EBD8912-3BE4-6154-F304-00000000FE01}5712C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557997Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:05.306{5EBD8912-194F-6154-A100-00000000FE01}44723384C:\Windows\Explorer.EXE{5EBD8912-3BE4-6154-F304-00000000FE01}5712C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001557996Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:05.306{5EBD8912-194F-6154-A100-00000000FE01}44723384C:\Windows\Explorer.EXE{5EBD8912-3BE4-6154-F304-00000000FE01}5712C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001558003Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:06.978{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=91E588AEF1CB2A2199903AAA5B70A263,SHA256=2A63D4D9C6F3D88F93AFBFE5A1FBFC73E8D2AE32DE5BCCD85E76DA7A9C8BB98F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558002Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:04.036{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-4522-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001558001Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:06.728{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30D20079919209CB0F4729E8C5892280,SHA256=05DDFC8FC3B4B926D479EEDE5AE545EA3B157F2A8650D2358D4B05DC228BF80B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464093Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:04.804{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51605-false10.0.1.12-8000- 23542300x80000000000000001464092Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:06.241{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ABDE90DE0A7ECB1F22E1BEF35EB09D8,SHA256=C4F4654FB67A08F8D056806D54B3A6FC6D0ABAC184DB2CE551B7D33F54013D57,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558005Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:05.187{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-11328-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001558004Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:07.728{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0AEA5973EA93C310245865850BAA3D3,SHA256=7B7068DC6BE8CC47CEF0BE4F5292A4551187AAE0E7816E9A356DC1E7D9F3A50F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464094Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:07.257{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA17609454C1B3617AD52306B5ACA47F,SHA256=3866135288BD4A10C2BAA32F51CF3555F8E1F5E2129FFB3A6BD4A7C79C3CA660,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558008Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:06.329{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-18391-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001558007Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:08.747{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23560A6F2E9FDDFDDCC7DACE2986E5B6,SHA256=9EDA2E2BED92A53BF36EB0414BC49F6519FDC6A8ED439F3022CE26F30E21B594,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464095Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:08.272{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5868345E9EEF6F3AF8B29BF8864731E,SHA256=EB89E3D524D536B193D1B5472B298B843D6F583E1DED231DDA086D837A4A6D64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558006Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:08.103{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E2BE26B07F76FA7866B1DFD487BADFBB,SHA256=0408DF9D4A1575E9B6AC92F1B3074D3EC064C214C8F9043638EC8BA497894329,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558015Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:07.443{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-25599-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001558014Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:09.747{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CBF9995209A4E4695FA860425C77338,SHA256=F9138AE4D31585E5A247458F716BAFE304DBFF4E1B6F096723E5C1A67611EE26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464096Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:09.288{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D966AEBB1BA78C5ED8FFA0A52434E1A,SHA256=DFF98D4AC3FBB80C57C9E261A434A0F57A76FE4C21D2DC2C9137DA6E5AE2B089,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001558013Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:09.325{5EBD8912-194F-6154-A100-00000000FE01}44723384C:\Windows\Explorer.EXE{5EBD8912-3BE4-6154-F304-00000000FE01}5712C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001558012Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1088SetValue2021-09-29 10:13:09.325{5EBD8912-3BE4-6154-F304-00000000FE01}5712C:\Windows\regedit.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy1 10341000x80000000000000001558011Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:09.325{5EBD8912-194F-6154-A100-00000000FE01}44723384C:\Windows\Explorer.EXE{5EBD8912-3BE4-6154-F304-00000000FE01}5712C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558010Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:09.325{5EBD8912-194F-6154-A100-00000000FE01}44723384C:\Windows\Explorer.EXE{5EBD8912-3BE4-6154-F304-00000000FE01}5712C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001558009Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:09.185{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FD3D200526B8F3AE6DB82BA0996352BA,SHA256=8F421EC97650B495EAE9A2173E66D205AB28BC42031AEAA47B148C4A68802E7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558019Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:10.935{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B7C4B21ADBB8F72637226DE0A51D45A,SHA256=E774D27335AE755BA5C8009C728D003EC07FB5CCD53D5193FC43B1C6AA4D106F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464097Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:10.304{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA490C0F33D29EC21A2150456D4F09C2,SHA256=3FEFE55ED03C7348BC81316BFC2CD50C75F1D5868AD13FFCF7A266D2051E5B9C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558018Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:08.523{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-32356-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558017Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:08.363{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65215-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001558016Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:10.263{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3068065B3986090EEB897B16F806EBF8,SHA256=0F46CF048329747EC12ED07896A7ACBB424BAFDD2DD8E80C7457FAC7AB6C6A15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464098Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:11.319{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35FBD02B4C2AA0BC97C58FABE2F23B27,SHA256=95339BD008CFAE55343AB8211DB9B0E278D578DDB57496244F22A7718A57A72A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558021Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:09.616{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-39136-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001558020Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:11.450{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B36079BCECB609C9F79B9E9D6CA53EE7,SHA256=6743673DB31FEDF048D0379572099C813BE74322E3A10C877453957B04E58A4A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464100Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:10.819{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51606-false10.0.1.12-8000- 23542300x80000000000000001464099Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:12.335{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C27984CD83212FC04F2618E8619B6793,SHA256=65D9D41D4FC88CC76F3DD48451AFB3F54DD19BD22FD82198E41B249B33109C09,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558024Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:10.828{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-46634-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001558023Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:12.638{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=917E2FC71E143EE9F7212D99DA57F8D0,SHA256=A1C5F78C9F78113090A43C507016BA5594DB1832EFBE7DA70D32AFBE3EFF8AD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558022Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:11.997{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=596662152ADBF0AFE7B1705B5131A5D9,SHA256=2C4B198316D325E0E3F227F8FB958BF0E994B74BCACB1D03EA8E07C1B8C4BB64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464101Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:13.351{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8ADFF9AA5222A40FB87C5C6807D1381,SHA256=E3526A409F369E85761C6EB49EDD8D3A5081C6073981DAF934B26B7B7C5E39B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558027Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:11.991{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-53743-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001558026Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:13.794{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C2F3D63822866612A3A39B27B57DE38A,SHA256=2F426DEAB05FA47EB1F4E71AC16DE606AEC3803C1BB588247C42185E2D6201A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558025Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:13.232{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA65C202A409BDC1A7C6B85E5D51B8AA,SHA256=EEF9B6D4091F94F8B49DD64CF4BF14B03475478FB75285C9EF131A5F82875CB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464102Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:14.366{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=151B2787ED13CF08C79702F146A22E35,SHA256=E72B754CCDF445C383750BF9130EA726F8C32DE57FD2BEA57FC24FAC73128F93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558029Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:14.919{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3FD41D1B09B4EC675F6560F661E5533E,SHA256=F2D8606643D18B1DAA2AD0B824E082D64E6BB72E0E14838068F2FDB9AACA80D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558028Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:14.247{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=098558D6AD4A06129655CDB93BF78D56,SHA256=6470A913904EECEFD0C121F8E5343F0F5A42E8368F2D91BAA65F4304E9C25A0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464104Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:15.382{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8971DEDF2D20D2DB1FE65E10C2EF88DC,SHA256=32817E95E081C1928562EE825FD477B1E0AEF90299353F158AC642F81CC42D1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558031Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:15.294{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B3678445EEB3B83DDEDFF3E06441820,SHA256=9354B6E6EAE6807F8C9288F5C4046899AB155ECFF507924BA33C0CAA2D481D8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464103Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:15.194{69CF5F33-1899-6154-1300-00000000FE01}296NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=ACD39E87354AAAA7773E692F82D917B8,SHA256=4D29018D08DBB4C2A32CE2796F260FD7FFA14CA5083B354E1CB3754C3C98F0DE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558030Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:13.148{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-2063-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001464105Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:16.382{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8252EC7E84F00E71C49E67786532B0B3,SHA256=0960B62AECE37DC41E4C6EC8CE2A94A98B937C6FDAB5EAE8B4BAE061F70B5CBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558033Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:16.294{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65FE75B84EC2D98A28EB4D49D4BDD576,SHA256=AD08474C48EF2E388A46407FF9067FEEBD8B3EE9ABED73DE99E521C226385EA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558032Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:15.997{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=72DCE2295F6AB4F70CADE586C961275A,SHA256=6CFA49A1C7134DBC97650C2B27B26473FB73B1644AA703949215E0D7A420ADE7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001558039Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:17.654{5EBD8912-194F-6154-A100-00000000FE01}44723384C:\Windows\Explorer.EXE{5EBD8912-3BE4-6154-F304-00000000FE01}5712C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558038Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:17.654{5EBD8912-194F-6154-A100-00000000FE01}44723384C:\Windows\Explorer.EXE{5EBD8912-3BE4-6154-F304-00000000FE01}5712C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558037Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:17.654{5EBD8912-194F-6154-A100-00000000FE01}44723384C:\Windows\Explorer.EXE{5EBD8912-3BE4-6154-F304-00000000FE01}5712C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001558036Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:17.294{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F77837177AC4987E81C17976C4CDA530,SHA256=07936DC5C584490800527FB65BC23E0A4E723A6ADCEC2262660ED2E74BC2D072,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001464110Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:17.788{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464109Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:17.788{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464108Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:17.788{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001464107Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:17.538{69CF5F33-189A-6154-1C00-00000000FE01}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464106Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:17.397{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9749A1E95B681915637EC9227DE49626,SHA256=7301B150456B0CA12D2819110A01D5238D71B65C92F7D75A846335EDD992577D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558035Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:17.122{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=61750CAC08D3D20F9573E60B9B1D93FF,SHA256=35E961943480F84A9F8E6BE262ACBFD081ED13481A8E4BEBB3D6B1945F89BE2B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558034Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:13.504{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65216-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001464113Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:17.226{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51608-false10.0.1.12-8089- 354300x80000000000000001464112Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:15.944{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51607-false10.0.1.12-8000- 23542300x80000000000000001464111Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:18.413{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=986796B3EB41B213BCF133DAEDCC02B8,SHA256=1F8340142DAE2D00BE3A74378E9C74D9A25CA47CE014668102F27FE8F87A349A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558043Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:18.294{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF123899215D55CA6D58662212FF9DD3,SHA256=15D0BCFFEE2F19157705B5BFD8B41D77D71E8EBDAB28375034E7737E9951E0F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558042Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:18.247{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2E437DF312213AF861EA28C87A20C326,SHA256=956B51F7E173659EB9B878451F8F68447FC366B1C911B9B637013EC2C62D32C7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558041Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:15.351{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-15707-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558040Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:14.258{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-8977-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001464114Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:19.413{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=983C6ED102DD8325FC1B3F07431DD6E0,SHA256=A28D23C46A6D2CE324D402F7905143D42973041F2123BE9CA4914BD5A1BFF6F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558046Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:19.372{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D2E8F9339FC16D5201996898064EB752,SHA256=DF144702782BE5C201793077498321F75DB020E864775A70F7FA3DACE5E9F11E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558045Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:19.294{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E564AC1C3744D3F8C3A8A8EF0F5D4C4,SHA256=A46868E0D4F1CCA05BC7D0613DA78D119CDC409477CFE61564725543C540537B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558044Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:16.475{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-22382-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001464115Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:20.429{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3328DE7BA05F8AC7B828853A29535F0,SHA256=E778D4CF22FEB11A71421DAE96673E29DC20FB7EC437E015BC2037B0AC1D8D27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558049Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:20.466{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=33B1ED2623D93EF238981663B6BC63E5,SHA256=179C191A3A6A30956292C4A03A972C42BC0EF6A9A33E43E4C57B16F23282397D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558048Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:20.294{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8D7AD41FF27A48CBDF00A2B21DE63C0,SHA256=4A2498CE4837EDC4CC6D9CB6F6E7291A10911A4ED112D1E382EF458EF5CADBAF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558047Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:17.586{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-29470-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001558056Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:21.607{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=110B4DDEC7062C1B660FE27B9B044E05,SHA256=2423A57A761C5FE436E9B8DC996824085F9BFCEAE96F05B1B656D7DAA829EB56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558055Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:21.325{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD0D3365C8A5469547D2F599EE7A6EA5,SHA256=E13EB54F15E6A36ADE69011C3E0541B37AEEAA9DDF180469620A8097CCE6698D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464116Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:21.444{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=974646A908698F5630D8C918FB9E4A14,SHA256=C66DD0438EAA22D7A4E5685B11CE223B3708DE6C47567B86F8550E02C25E5A2F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558054Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:18.719{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-36495-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 12241200x80000000000000001558053Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1088DeleteValue2021-09-29 10:13:21.075{5EBD8912-3BE4-6154-F304-00000000FE01}5712C:\Windows\regedit.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy 10341000x80000000000000001558052Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:21.060{5EBD8912-194F-6154-A100-00000000FE01}44723384C:\Windows\Explorer.EXE{5EBD8912-3BE4-6154-F304-00000000FE01}5712C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558051Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:21.060{5EBD8912-194F-6154-A100-00000000FE01}44723384C:\Windows\Explorer.EXE{5EBD8912-3BE4-6154-F304-00000000FE01}5712C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558050Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:21.060{5EBD8912-194F-6154-A100-00000000FE01}44723384C:\Windows\Explorer.EXE{5EBD8912-3BE4-6154-F304-00000000FE01}5712C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001464118Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:22.460{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F9D8EEE78498C0DD13F7E66DAC2C34D,SHA256=82DA2FB7481E0E689B13A892D79774A97D9F4B50596B896BD228F6CF5CAE1861,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558060Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:22.685{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A2BD9F00C432ED5CEAC3764D1270AAF9,SHA256=42DD1135EA8C7F150A71BA76B066785FADCD0F939AA5B51B39E263DBB8140155,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558059Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:22.419{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3499FF30C10308D2278C54C6288632E,SHA256=AD2ED9CDC2F50855598EB1257DDA021780B3268D5C5B61C904B748B58A14001C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558058Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:19.834{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-43195-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558057Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:19.363{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65217-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001464117Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:22.444{69CF5F33-1898-6154-0B00-00000000FE01}6364016C:\Windows\system32\lsass.exe{69CF5F33-1895-6154-0100-00000000FE01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000001464123Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:23.991{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3223F5B4D945006EA81C2CF9AB8FDF36,SHA256=5259F3897ACBA5CB44BEB5779F64057B838AA37E6DE6A0382367BDF4C28939F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464122Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:23.991{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4432AC8F37D45C0BCA6FEC7009EC3805,SHA256=01E2F546B7F0ED8CE741466D95CD01085F96F62D5450A42F583B29BD213B5F24,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464121Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:22.150{69CF5F33-1895-6154-0100-00000000FE01}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51610-false10.0.1.14-445microsoft-ds 354300x80000000000000001464120Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:21.897{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51609-false10.0.1.12-8000- 23542300x80000000000000001464119Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:23.460{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6BDF0AC47904FDBFB184BC79C8345ED,SHA256=95525CAF8082D24DA24F7318F23AFC652CBCBA1727568C617ABD4013DB8C9A22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558063Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:23.841{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A6C53D11617A736D8BE6ECD208C8BFF8,SHA256=20D5E25D3A0FE5D0D359364BAAF682341F04CF3C79AC543C572A1958A8BA3D30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558062Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:23.419{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0663866A297463091A754C64DB344ECB,SHA256=B90A6F766776316D3521FB53918D3F1A56137D89BA57339F2860CD70E7EEABD2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558061Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:20.946{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-50490-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001558066Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:24.951{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BB4744E52A1BA5E918C820954FE8CA23,SHA256=ACE79040D49C999CBAFB7023377AA2F04FCC3753A856B4BA6A358D9C0781D5BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558065Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:24.497{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAC3AD312B5D4FCF40A8720AF1DC0D2C,SHA256=CE7D4FE85A1755EF3DECDFE9B48190C16272F3547C8A40D1DA598EDB15F07AC4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464127Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:22.682{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51611-false10.0.1.14-49672- 354300x80000000000000001464126Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:22.585{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-5100-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464125Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:22.545{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-4799-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001464124Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:24.476{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF686C21EC31C71207B4877835E4BE42,SHA256=539121C9CBFE61ABF50D736D95148B3FD62EDFB2B4B23A4FCF16A199F1433185,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558064Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:21.816{5EBD8912-1892-6154-0100-00000000FE01}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-54251610-false10.0.1.14win-dc-429.attackrange.local445microsoft-ds 23542300x80000000000000001464129Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:25.491{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3C07F0DB0C163A25839A90838BBBA96,SHA256=A65F6426874A3A7D3D3202449B9DE48BC36F4256DEBF61A862561796B1E991C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558069Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:25.497{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6295C7065BAE6D3D6C77A0887021D8BC,SHA256=1F6700740D39B759EFB8B5C8A793A34B9C2A0CC1A38A8C0C3BFB2041C59D3598,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558068Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:22.348{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-54251611-false10.0.1.14win-dc-429.attackrange.local49672- 354300x80000000000000001558067Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:22.074{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-57116-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001464128Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:25.148{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3223F5B4D945006EA81C2CF9AB8FDF36,SHA256=5259F3897ACBA5CB44BEB5779F64057B838AA37E6DE6A0382367BDF4C28939F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001464144Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:26.835{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-3C46-6154-C104-00000000FE01}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464143Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:26.835{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464142Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:26.835{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464141Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:26.835{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464140Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:26.835{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464139Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:26.835{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464138Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:26.835{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464137Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:26.835{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464136Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:26.835{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464135Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:26.835{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464134Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:26.835{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-3C46-6154-C104-00000000FE01}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001464133Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:26.835{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-3C46-6154-C104-00000000FE01}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001464132Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:26.836{69CF5F33-3C46-6154-C104-00000000FE01}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001464131Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:26.507{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13CE45904C2566C48A7EE5182FA16CE9,SHA256=22FFF9ACB0529B1985829DFF8577FF41A9BE0A065E44229D3787C4A686883764,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558073Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:26.497{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B9F65428D1BDF4F548CC54420D45269,SHA256=DD5C922213AC022222A2478EC98D353A8879E7E2BAD06AACCEF0FCEECE4EE196,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464130Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:26.241{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=736EC3C88DF871774BF13F38F0D1C899,SHA256=1693005BC6C9F15F9818AE12735D9262D389F27953BDBEA717414F9F23D3BECA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558072Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:24.289{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-12440-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558071Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:23.192{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-5348-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001558070Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:26.029{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=35BC14334FC32B7339BA8F3AF008106B,SHA256=9E4A35BAEA2AE575C9CE7011B23995EA6370BA839A50FD143E5C5737D2AC4DB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464162Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:27.804{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A102C13FCC09785559394BDD8BE4C0DB,SHA256=EA39C94F414EA2AB2860AF7AA8D5FE1A56EA2535C7CBB142427A407746AB1998,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001464161Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:27.663{69CF5F33-3C47-6154-C204-00000000FE01}13563696C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001558076Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:27.513{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A41F74F093EA3A77F0F757B68CEAD91E,SHA256=4203EC9CBCF98A8E125B231F26D45C0FD8DE2BC51D3C49CD72E4B5A2B7625BB5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001464160Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:27.507{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-3C47-6154-C204-00000000FE01}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464159Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:27.507{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464158Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:27.507{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464157Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:27.507{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464156Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:27.507{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464155Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:27.507{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464154Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:27.507{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464153Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:27.507{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464152Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:27.507{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464151Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:27.507{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464150Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:27.507{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-3C47-6154-C204-00000000FE01}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001464149Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:27.507{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-3C47-6154-C204-00000000FE01}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001464148Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:27.508{69CF5F33-3C47-6154-C204-00000000FE01}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001464147Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:27.398{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2B72ADA45DB0462E2C8DB038E2942530,SHA256=1E32EA8126912F9E99BE8E6CBD384450BA85FC298302363B5B8E1DCC1ABB1FD4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464146Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:24.871{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-19665-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464145Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:23.741{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-12370-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001558075Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:24.379{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65218-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001558074Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:27.107{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2B188C1E30048C4193B2F3BEDE2E2EF5,SHA256=F1F3CF486065E0AA152B086046926AE675E31A7804C1AC87E92BABD89E3DD906,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464164Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:28.710{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0B47DA945B0ED4EBABC1D061E8B0790,SHA256=A4B7B413C050C82030E2B11CA892C7A407D468E5BF1C450EF284497FA542884E,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001558080Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1088SetValue2021-09-29 10:13:28.686{5EBD8912-3BE4-6154-F304-00000000FE01}5712C:\Windows\regedit.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicyDWORD (0x00000000) 23542300x80000000000000001558079Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:28.544{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86F3DF99FBD336103B9B35003ABE6B67,SHA256=429B0D9AF59B57C7ED25A440526ED242528E40F4E9DE5A50461FAA8C81250E4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464163Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:28.460{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6372117DB39C95F8D82D37897C9576C0,SHA256=D5A1F15D18E70EAD111D172FF4EF79D37C9E169E64B0338FB9F907561825A6CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558078Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:25.368{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-19335-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001558077Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:28.185{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A72A14005E54A1257E091270A1E8B01F,SHA256=F71F88CE646445B68DD441872A8E6E53C4F3A7B507548F360324978DEB8B3342,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464182Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:29.741{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=617E4B0B88C5C0576A3A9FFD6CA70F13,SHA256=9659E881C21A27E25A48CD8C6BAC7B5E12B9E379B10336A4C5838E6C2DC48AA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558085Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:29.545{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AF467B1E17CA3395F6F9A2E71DC9764,SHA256=B3999D73A287AF5E4C9F6CA5F5474967A4FBCBA02662283F185183CE77D0524D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464181Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:29.602{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D1F1A0594BC7EDF9D163D9343B9D7C67,SHA256=F6E96B5E72A1F2E18B473F7D125898F4CCA28407D0A9C453DD467EB9EC50D311,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001464180Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:29.570{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-3C49-6154-C304-00000000FE01}2676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464179Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:29.570{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464178Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:29.570{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464177Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:29.570{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464176Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:29.570{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464175Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:29.570{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464174Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:29.570{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464173Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:29.570{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464172Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:29.570{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464171Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:29.570{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464170Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:29.570{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-3C49-6154-C304-00000000FE01}2676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001464169Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:29.570{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-3C49-6154-C304-00000000FE01}2676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001464168Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:29.570{69CF5F33-3C49-6154-C304-00000000FE01}2676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001464167Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:27.120{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-33723-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464166Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:26.913{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51612-false10.0.1.12-8000- 354300x80000000000000001464165Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:25.979{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-26360-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001558084Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:27.350{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-14778-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558083Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:27.326{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-14585-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558082Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:26.446{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-26065-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001558081Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:29.295{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C9206BBCE4BAB0EFB441A39EED8B2380,SHA256=EEBCC96867B9C29B360F730D9E6AD14A95DE3B2CA128D413EF28E8FD233A3A43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464184Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:30.820{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4A35DCC342B57A03149BBCAE108983C,SHA256=9AB80C31C8F188ED3EECF717BCB799A99FC275EC5CE3F8131FF9A92481831350,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558087Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:30.545{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55295297B04181226E0F24DA9C24FF1A,SHA256=9AFEAF817EAA0FC72CF8BF0C6B08CC7E0E1C76DAD1E632FD1835E03411874069,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464183Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:30.663{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F2107482C91168B2EFC57C74644D9038,SHA256=3FCFA26F4769AA27BA4A1B425E4EC5B84EDC59991640E5FA5291AA9A7277FA8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558086Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:30.311{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=66A4F8C1AAEA67822E7F38F37CF2241E,SHA256=1C7DC81B847A30282AE1931CDC37E60B3C6CE734ECE6F0262A65B71ED83D12D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464188Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:31.851{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F94547A6D42F15E84B9A5BFAAB9679D,SHA256=F636DE09B08D4B758F1464832EC6FEDF35D908D56D043A9158765C7398FF01C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558092Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:31.545{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=488457C53CA5F533209036DB189F6EAD,SHA256=35C81A5F11D541B300367624BB9BCB3944202013A157D66F246CCCD2AB7450E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464187Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:31.804{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7ACD8706AECF80F784B5A1251F7A8034,SHA256=9A71CC24FE48D104CAAA5207A3582E4FCE3E70CDC88B7CD6F07E9C941B8E99C5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464186Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:29.309{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-47447-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464185Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:28.213{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-40439-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001558091Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:31.451{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ECC4F0A7693B1EF73255BAC5B3385C35,SHA256=E0D2A6289A4B77B09DA02B2A16385F22A91809A4EDDD5DB02D967C1A96775592,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558090Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:28.791{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-40022-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558089Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:28.555{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-21170-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558088Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:27.541{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-32608-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001464190Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:32.945{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=10CAEC1D7B8E74E4EAFA0186BB079028,SHA256=48ACB377CAFB4A1DD2B0FD8F21EF0C000DEEAF875DDF68BC63DEAF4E2580193F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464189Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:32.882{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CB9B68D5AB2C931AF8F16117EF78191,SHA256=13C2DABED5650E95CFDAAF4D600E9D621E7EF966C2C2E1D1D0EF69D7DD053DC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558100Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:32.561{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=72F2770AA7AC3F5B771185AE1C8BFB95,SHA256=4C46DF69482287C2301F0CB121CB82FDEA36089B079F4A8D02393D4E0E837B34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558099Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:32.545{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F86A67DCDCFB42D8AC4E2E001F28E616,SHA256=94BFB6CEB3873FD3AB15A9760D2E28A06B154A8E76CF0714EA93F4E98AD70CED,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558098Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:29.680{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-27514-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558097Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:29.552{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65219-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 13241300x80000000000000001558096Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1088SetValue2021-09-29 10:13:32.045{5EBD8912-3BE4-6154-F304-00000000FE01}5712C:\Windows\regedit.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicyDWORD (0x00000001) 10341000x80000000000000001558095Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:32.045{5EBD8912-194F-6154-A100-00000000FE01}44723384C:\Windows\Explorer.EXE{5EBD8912-3BE4-6154-F304-00000000FE01}5712C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558094Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:32.045{5EBD8912-194F-6154-A100-00000000FE01}44723384C:\Windows\Explorer.EXE{5EBD8912-3BE4-6154-F304-00000000FE01}5712C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558093Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:32.045{5EBD8912-194F-6154-A100-00000000FE01}44723384C:\Windows\Explorer.EXE{5EBD8912-3BE4-6154-F304-00000000FE01}5712C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001464193Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:33.929{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57F1E61B5C1D8E7526F5B69FFAFECDBB,SHA256=733FE97B9062CCEE5E4ED892F598A3BBB76EF614390BC17F421F12DBA3D3DA92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558108Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:33.784{5EBD8912-18B9-6154-2800-00000000FE01}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210929074147-147MD5=A9A42281E5AC80C7384A9CB787C868D0,SHA256=3FA67950307563E8508E097058F58FAD833FFA00CAA097776E12802F7A654FF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558107Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:33.688{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=94CF0F9D33DB836FB5220344115ECEDC,SHA256=E8A6931C1285C2B60DC46E4A0EDCAFA74FA61599E47DC4A7A661176B3C99339E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558106Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:33.547{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8AC6797EBD590561C756AA378D8D8D0,SHA256=8E392A8D498597598277D8BD6B0C086FF54D2C4CC85BB046BAAD2708F659714E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464192Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:31.527{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-2366-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464191Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:30.416{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-54294-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001558105Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:31.009{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-54494-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558104Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:30.790{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-33721-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558103Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:30.502{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-8017-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558102Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:30.481{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-7869-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558101Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:29.898{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-47007-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001464197Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:34.945{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88523EDA5345FEE0DD4F4813492443FE,SHA256=AFBB7FC3C6057E532BA09EA5C80757DC3F50764430F26792E4CEE64FE729A11F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558115Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:34.813{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=306298B6BC86917A9A0C4758E2C2991A,SHA256=E3A9E6F4E88482E52797E47D7B7683B54BDCEC4A29E35C5CE5A56D15B2AF792E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558114Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:34.784{5EBD8912-18B9-6154-2800-00000000FE01}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210929074145-148MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558113Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:34.549{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FEAD5ED81EB97D3517DFF635F99C682,SHA256=CB123ACBB77559142EAD1DDBB064701B53F9C527D7FA570BD58ABD3E662B1CF9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464196Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:32.742{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51613-false10.0.1.12-8000- 354300x80000000000000001464195Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:32.682{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-9247-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001464194Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:34.070{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E30827A30C48B82DF43A9ACE936FE5D7,SHA256=FD325E5073AA6AEA0D8BD6FB1FED82FE3AABBFFD7EF4DDCFD092D69B76F8FA7B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558112Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:32.127{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-2197-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558111Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:31.900{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-39460-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558110Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:31.691{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-12953-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001558109Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:34.424{5EBD8912-18AC-6154-1100-00000000FE01}444NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=B460FA6DD3260E29A933341EC2756830,SHA256=EBEE6049BEC1387410C0D1828C32300B1D5C0A3F28DDE1D358670CF7305E7989,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464199Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:35.992{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EFA67DAE69AEE52BD0DF00BFADAB9E6,SHA256=0E11C7A5C0ABEF012DE67615F0DA146556E50BF23534859E4F8151B48EACA857,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558126Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:35.551{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBD09B9D22469B19D63B350EF6F5D12A,SHA256=021F9FED084CD62F619EC0D893D47125AC687ACA067D838257FF1DE6FCFA2EC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464198Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:35.210{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9CBAA3F2A3656EA4474EAC207434ADFC,SHA256=75274B5B8DB87D283050561AF158A8AA117985A0B1ECF3F31DDEDECC609A1341,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558125Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:33.410{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-10360-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558124Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:33.388{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-10225-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558123Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:33.365{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-9972-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558122Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:33.328{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-9705-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558121Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:33.292{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-9583-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558120Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:33.271{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-9455-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558119Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:33.249{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-9225-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558118Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:33.215{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-8996-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558117Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:33.041{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-45929-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558116Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:32.789{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-17581-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001558159Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:36.597{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80B1D63C6F6D9C0651DA7507637C36B5,SHA256=30EF061A886F28065AB7DC0B3D5845F213A1A59D42F5510C292A21354467821A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464202Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:34.068{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse119.167.194.165-65078-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464201Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:33.802{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-16436-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001464200Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:36.335{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2F106FA372AB28831D86682AC917DB77,SHA256=85FA7C391CA87FFF2B176BC37A8D74901337E83FCD27B1738A64B733235A1633,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558158Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:34.501{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-53797-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558157Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:34.480{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-24952-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558156Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:34.436{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-24662-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558155Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:34.382{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-53404-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558154Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:34.360{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-53248-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558153Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:34.347{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-24377-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558152Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:34.326{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-24158-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558151Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:34.324{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-53081-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558150Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:34.296{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-24069-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558149Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:34.287{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-52962-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558148Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:34.267{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-23829-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558147Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:34.266{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-52860-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558146Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:34.244{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-52729-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558145Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:34.242{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-23754-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558144Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:34.222{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-52477-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558143Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:34.205{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-23722-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558142Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:34.189{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-52293-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558141Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:34.169{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-23645-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558140Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:34.153{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-52196-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558139Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:34.138{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-23495-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558138Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:34.106{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-23359-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558137Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:34.072{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-23221-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558136Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:34.041{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-23051-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558135Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:34.008{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-22913-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558134Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:33.977{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-22828-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558133Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:33.959{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-22735-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558132Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:33.940{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-22676-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558131Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:33.922{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-22535-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558130Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:33.887{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-22463-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558129Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:33.869{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-22368-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558128Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:33.431{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-10536-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001558127Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:36.363{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8AB7B38A975F600E653BD84738D78E99,SHA256=9ED7135E69A8F7656A40A5BB6F2C7808128CC2D2DD5D47B3F0CC5AB343BFCCE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558171Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:37.597{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABA2833A61B685A8E5845A8A277F60DF,SHA256=22A6039B4A471D654B6604C759AEE9E114EE527C0BB5B58A198E0A3E96272C73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464205Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:37.460{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E13CFAC8171416BF6430DA2293452CEE,SHA256=B38F748F92FA39EE051C9EE5A8663B985BD710904CE4676255354ACA5D22CD30,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464204Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:34.948{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-23449-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001464203Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:37.038{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DE1268A6A7C4325A1A8C7BC98D4CD07,SHA256=B96C7A88787F9C69FB791EB01599153827EFDF90C5483820E407A486DD8AB2A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558170Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:37.488{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=828C2C6CCA2920215E0CBAE3B5100ED5,SHA256=714DD21E03D26F745B92AC8B9B9AD8A814969690D61C1D9EA92933981816BDF6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558169Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:34.600{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-25589-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558168Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:34.581{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-54418-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558167Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:34.581{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-25524-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558166Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:34.578{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-17768-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558165Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:34.563{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-25420-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558164Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:34.559{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-54188-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558163Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:34.545{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-25281-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558162Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:34.542{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-17656-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558161Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:34.523{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-54055-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558160Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:34.511{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-25123-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001558251Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:38.879{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E783BA33F5F05933890F5775F5EF85B,SHA256=4432F74A941F31A7FFD52AB61939DD029BA2EF21135794B15E847720BE4F1CFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558250Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:38.879{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=91ABCEBE13128ACD5DCAC17E9D0BA7EE,SHA256=D61AB0FE89329280BA8DE1C26734DE154D8B1996B26E00C849B0841B96AD05AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464208Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:38.538{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C4547D8E4A1739B8235BF493B2481C70,SHA256=2EC3FF7D5872D64C0040BDF82E9FAEADEDD37D9319463D4A624F0D161597360D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464207Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:36.072{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-30386-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001464206Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:38.054{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A3B6D58F97AA55A243BB35CDAB55A89,SHA256=E091DF113361B517FB82727C6A0BFC2750C4F03FBA86603583FE926C02C940F0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558249Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:36.574{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-6401-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558248Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:36.537{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-6252-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558247Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:36.515{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-6025-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558246Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:36.489{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-5748-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558245Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:36.442{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-5663-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558244Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:36.408{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-5451-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558243Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:36.372{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-5343-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558242Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:36.350{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-5213-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558241Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:36.328{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-5081-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558240Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:36.306{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-4895-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558239Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:36.270{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-4679-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558238Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:36.233{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-4562-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558237Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:36.211{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-4342-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558236Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:36.176{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-4164-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558235Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:36.140{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-4040-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558234Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:36.119{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-3854-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558233Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:36.084{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-3628-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558232Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:36.048{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-3385-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558231Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:36.008{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-3268msft-gcfalse10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558230Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:35.986{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-3132ms-rule-enginefalse10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558229Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:35.965{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-2887-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558228Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:35.928{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-2779-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558227Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:35.906{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-2587-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558226Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:35.869{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-2468-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558225Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:35.847{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-2273-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558224Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:35.811{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-2139-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558223Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:35.788{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-1972-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558222Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:35.755{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-1737-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558221Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:35.740{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-30253-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558220Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:35.718{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-1608-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558219Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:35.707{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-30109-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558218Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:35.673{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-29966-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558217Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:35.642{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-29877-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558216Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:35.623{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-29726-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558215Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:35.589{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-29631-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558214Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:35.571{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-29520-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558213Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:35.538{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-29392-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558212Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:35.506{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-29261-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558211Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:35.472{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-29201-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558210Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:35.454{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-29090-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558209Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:35.448{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65220-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001558208Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:35.423{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-29033-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558207Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:35.404{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-28965-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558206Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:35.386{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-28825-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558205Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:35.353{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-28673-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558204Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:35.319{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-28590-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558203Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:35.301{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-28516-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558202Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:35.282{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-28328-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558201Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:35.261{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-28114-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558200Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:35.224{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-27977-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558199Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:35.184{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-27913-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558198Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:35.154{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-27886-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558197Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:35.133{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-27850-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558196Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:35.114{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-27780-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558195Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:35.096{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-27704-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558194Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:35.078{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-27551-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558193Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:35.044{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-27478-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558192Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:35.025{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-27386-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558191Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:35.006{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-27256-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558190Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:34.972{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-27100-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558189Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:34.938{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-27014-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558188Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:34.919{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-26862-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558187Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:34.886{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-26722-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558186Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:34.855{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-26661-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558185Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:34.836{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-26520-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558184Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:34.805{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-26372-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558183Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:34.772{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-26233-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558182Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:34.738{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-26079-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558181Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:34.738{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-18817-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558180Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:34.716{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-18624-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558179Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:34.705{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-25996-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558178Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:34.687{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-25863-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558177Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:34.682{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-18399-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558176Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:34.653{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-25797-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558175Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:34.645{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-18249-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558174Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:34.635{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-25649-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558173Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:34.622{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-17981-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558172Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:34.616{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-54552-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001558257Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:39.894{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DD1E4C072D469E67F8984EA6F7F24D0,SHA256=171274052D7944FD1D3F1F884B1424265CAC12C896D0DDF49FD8D846A94E5400,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464211Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:39.617{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5F922FF468A8A13D62C4E4284FADE18F,SHA256=0E3467DDADFFA8B4F545D035915A9F27DBCE9BB44957BFE6AD1CF82E7C1DE684,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464210Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:37.184{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-37635-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001464209Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:39.070{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0232B3A94B3DC1C7F40B9257ED6CEF67,SHA256=9021828B6084029A26AEE6288F0298E20D435FBBCE6A3C96BB363B7D99C14C83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558256Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:39.863{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E4A9872FFA55851F472A721A11585A20,SHA256=894F1E4846C9CE54D0E4DD64E8F462679D39C4CAEE581A3A3687BD418A0C488F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558255Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:36.759{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-7248-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558254Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:36.681{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-6947-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558253Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:36.644{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-6777-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558252Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:36.608{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-6593-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001558265Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:40.910{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC3B621CF478301DE6177F5085801A8B,SHA256=78E6A79AABBB460AF16AC01278C8B5478D0E6D73827281AE27D20D381232A9DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464214Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:40.742{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=16DFB888A59582DA0CDF258713293718,SHA256=C5EDB33802F83F15AEAF0758186EDB14BD9F37DF0D5D73F25DC1B903A0094529,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464213Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:38.262{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-44191-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001464212Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:40.085{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BACB8F5AABF2B71993725D0A6855A81A,SHA256=6CF57C98BE4F7A41919AD84F72584FB38AF6A69685635E794E13D8140437075C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558264Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:38.005{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-40102-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558263Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:37.038{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-8834-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558262Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:37.003{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-8225-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558261Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:36.890{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-35130-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558260Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:36.878{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-7894-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558259Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:36.831{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-7686-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558258Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:36.796{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-7486-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001558266Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:41.926{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB88E809E6E0F302A8E066183131DDDA,SHA256=634C20B24DEC12359C91B7545E62D41A996A8392752932B8FC0356AF8808EAD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464218Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:41.898{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=26B6428EFBF56D18A1A7BCCC9957C844,SHA256=9AD7C33D17626C20894A82BCBE159AF8E5C9775607902E9A28B83EAC6705B043,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464217Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:39.355{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-51100-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464216Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:38.741{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51614-false10.0.1.12-8000- 23542300x80000000000000001464215Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:41.117{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68A24772ADAEB73CDE228B979EAD53CD,SHA256=CBE4A4813AFA8F52ED1B3CE74C54B72CB3071B4C08D94C53DB10D50E24EB4DC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558268Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:42.957{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E38B8EA1037EFC2E99418F671B3B9C00,SHA256=54C43CA9DBE27BE5B1A915B990C6D72A305D1BFDB0D5ADD638561E566AD898D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464248Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:42.976{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA146A15C19EDB2C685C9554ED3BC60A,SHA256=12191ECB9A738289A440C49EC7A6B2A0DA667B5E2A1F0F3BD09972330BDB821B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001464247Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:42.773{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-3C56-6154-C504-00000000FE01}2892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464246Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:42.773{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464245Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:42.773{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464244Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:42.773{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464243Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:42.773{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464242Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:42.773{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464241Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:42.773{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464240Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:42.773{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464239Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:42.773{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-3C56-6154-C504-00000000FE01}2892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001464238Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:42.773{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464237Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:42.773{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464236Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:42.773{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-3C56-6154-C504-00000000FE01}2892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001464235Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:42.774{69CF5F33-3C56-6154-C504-00000000FE01}2892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001464234Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:42.508{69CF5F33-3C56-6154-C404-00000000FE01}3244584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001464233Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:40.513{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-58441-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001464232Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:42.273{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-3C56-6154-C404-00000000FE01}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464231Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:42.273{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464230Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:42.273{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464229Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:42.273{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464228Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:42.273{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464227Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:42.273{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464226Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:42.273{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464225Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:42.273{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464224Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:42.273{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-3C56-6154-C404-00000000FE01}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001464223Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:42.273{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464222Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:42.273{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464221Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:42.273{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-3C56-6154-C404-00000000FE01}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001464220Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:42.274{69CF5F33-3C56-6154-C404-00000000FE01}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001464219Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:42.133{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECF0494C1D68DEA3E46FF5EDD8294B03,SHA256=7AF77FBFFB8ED30DD914C1B2C34A5FE5534D7FDC7BBB48EBB73438C6AADE7422,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001558267Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:42.598{5EBD8912-18AB-6154-0D00-00000000FE01}9085788C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001558270Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:43.973{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0788F26B74886960BD73E0DDDB6580F2,SHA256=D4D6D4765380D2CCDCBB1490D8B61E3DA83486370EAF8A554A94FCA79FC45767,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001464278Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:43.773{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-3C57-6154-C704-00000000FE01}2748C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464277Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:43.773{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464276Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:43.773{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464275Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:43.773{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464274Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:43.773{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464273Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:43.773{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464272Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:43.773{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464271Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:43.773{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464270Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:43.773{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464269Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:43.773{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464268Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:43.773{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-3C57-6154-C704-00000000FE01}2748C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001464267Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:43.773{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-3C57-6154-C704-00000000FE01}2748C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001464266Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:43.774{69CF5F33-3C57-6154-C704-00000000FE01}2748C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001464265Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:43.492{69CF5F33-3C57-6154-C604-00000000FE01}18208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001464264Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:41.621{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-6606-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001464263Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:43.414{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05269C025F26E84DB782D6B8A6982740,SHA256=CD6914FE7EB7D5E93E70676F6380DAFFDFA0158AB90921ABD3ED3467D9028815,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001464262Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:43.273{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-3C57-6154-C604-00000000FE01}1820C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464261Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:43.273{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464260Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:43.273{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464259Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:43.273{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464258Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:43.273{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464257Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:43.273{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464256Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:43.273{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464255Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:43.273{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464254Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:43.273{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464253Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:43.273{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464252Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:43.273{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-3C57-6154-C604-00000000FE01}1820C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001464251Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:43.273{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-3C57-6154-C604-00000000FE01}1820C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001464250Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:43.274{69CF5F33-3C57-6154-C604-00000000FE01}1820C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001558269Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:40.480{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65221-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001464249Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:43.023{69CF5F33-3C56-6154-C504-00000000FE01}28922540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001558271Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:44.973{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8448859A398B8B6DECFF9B9749042C4,SHA256=2A5A2DA8A1328224CE88EACD496BA13CE81C669E2CB914029DBD54C8EBD996A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464281Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:44.554{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCC538124B0FE893C0EED354AE24D659,SHA256=EFCAEA9B640BA0B7D098C41F8B0F30A510E24B9A60B46C7DDF15F7CADF4C4690,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464280Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:42.699{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-13571-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001464279Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:44.179{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0283BDF23E3D47D67F215E474301508D,SHA256=D3B17111BA43BD1B61DA7AA4BA525140C4B3A8768F2444BE1AF4D93783BF4CC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464285Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:45.539{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5468386D334A50E49FA0987504D47534,SHA256=24DA1FFE7C42607F870F27544F7F9ED25191CAB3B2EBA5CB049FDB5FE361568B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464284Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:43.902{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-20972-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464283Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:43.819{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51615-false10.0.1.12-8000- 23542300x80000000000000001464282Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:45.258{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5EDE4BE579612E2D26F52D4AE8C95658,SHA256=5B3F48AE7EAC345095389CD2F872ECE8257E2A6BD5DD96484CE702B54CCB4DB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464287Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:46.554{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6497BF539AB02F475AB992D2A72C67F,SHA256=DEF725B6FFDE34B2021E8B1734FE366E6A16F21025E6D845FEB0E8DFAF8F9BCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558272Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:46.004{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FFF8933F38353A95F03E14054A28DCB,SHA256=3F2D5C6B517EB826DD32A4F21A203C42F8DFD20B8ECFD4D14BE7D0E1B9D10FC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464286Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:46.492{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D0E01A12CB548AA0568DE5F3563FB3CC,SHA256=CBB0ECEED0A74F8E70093115E180D0F6C500DAE1EC424645C413F25A835553C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464290Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:47.585{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F32AC8297303E07B862B0FC7860D3352,SHA256=07F7DAF019C70912D0A3D429B4D6C095DC68F1B3FAD018076E43E399F3CE533C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558274Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:47.598{5EBD8912-18B9-6154-2900-00000000FE01}2960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558273Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:47.035{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78122F56A990291CA759129176B555CD,SHA256=3E2D2270C1853B0E08C106FA2CEFDC259F08CEEAEA5593ED7B37805008C56BBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464289Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:47.570{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=203D0CD46B13B6FEC3154FEEF7D1E08D,SHA256=3C08EE1CCCB563457585B4C5E9167C83412A4295B56E87DF41441972559F7A27,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464288Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:45.117{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-28641-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001464293Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:48.648{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D2388FA0207EBCAEA277EBD3A65BAC5D,SHA256=C7D00DC658CB31B0996A23BF0FB59CB67EBA12C6E536CD2F93CBE6342F56C544,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464292Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:48.601{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E241B052D186658F506D9CBA0FAECB34,SHA256=F08EDC6A88271A5F8E36A340FAF6F847A2FC3BE874E6952C323FCBFF345173CC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558280Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:46.901{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65223-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x80000000000000001558279Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:46.417{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65222-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001558278Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:48.581{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1500-00000000FE01}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558277Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:48.581{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1500-00000000FE01}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558276Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:48.581{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1500-00000000FE01}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001558275Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:48.098{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E1F357B15E86CA4B54DA667F8F40647,SHA256=CAC87944B7EA9327359700F3DAB69F7BA5A2660D25B8A7170D89167949EF12F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464291Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:46.214{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-35091-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001464296Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:49.820{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9BF099B2A859CD190304D386E589AC88,SHA256=1CEE4A8BA5CC67F9B2CC92E52CFB884D358F0CDD9344235FF8084C3CFDC35B3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464295Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:49.617{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEEEAA32EC48F7DF6F49CE608AC17EB6,SHA256=E21DAF4A0D2D264366F798D2586880A712FCA9678F9DBB5F0C8321880A871F4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558281Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:49.113{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0860FC10B648295AD2A0B2843748E402,SHA256=0870E9D5EE27A56C2D37744FEF39F594F601E132B832A2918ACAD78C977BD65D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464294Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:47.292{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-41869-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001464299Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:50.898{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1F291B2A4B2CE056841C98D75ABAA261,SHA256=9A3AFED79FA0B958FC0FCD49E50D511EC332B9BD65528DAD5F4B1CA9133CA5D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464298Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:50.632{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3C36FCEF9DCAF3BCD2B4D5C124C3672,SHA256=53C75B5DEA3ED46FE79352A51A51063F96AC2D951306BF331C78B384FDC59F19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558282Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:50.269{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=511942522F959B5E0CA6E655F18F8645,SHA256=66BAB49BC2DDE7761C5F886D3C062779CE8871B691468B859656A15E015EC96B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464297Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:48.371{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-48059-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001464302Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:51.695{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A85B010195742F25E5C9CBE729CAD27B,SHA256=FAA5B5797069F933C2F3589A33883AB3C2F17FB4C8FB8EE57049490C99DFA074,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558283Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:51.269{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFA0187AA3175D190E5150DC8367A579,SHA256=8844A880D3660391A12D90DDE451FD13032D267A968162998BAF60E336BAEE38,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464301Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:49.542{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-55338-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464300Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:48.881{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51616-false10.0.1.12-8000- 23542300x80000000000000001464304Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:52.742{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=907A0A9D66E006D20F3B94C607906CA6,SHA256=95C2C6D8B3EAEB3937C613FD103ADB4DC1E260F06893EBC9E86DC5547B300B73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558284Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:52.269{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B6F07230DC17EAB9E227580A7FAC78A,SHA256=A87E5DC2EB5BF634A2597908AF064FF4DC61F9F47618E942A5C2D48E62C9E2A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464303Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:52.023{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E770187FD2F14759D8FDC1AB2C29E746,SHA256=2773F7B0DD0CF0CDF98CAF2959C0F891B18CB2A4AF08D62E770A020D8A4A6636,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464308Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:53.789{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9965BA3E5CD73BBF6FA4E3EBCEE8B9AE,SHA256=D0414AEC6DF2A20C03DFDB86A443C269DE1FD584B1075210B68768DC65033228,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558285Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:53.285{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64C91F061B598F323A6140C4120BAB8D,SHA256=DE265A4FB0AF5DC6195B4C0386EDFCA20F8AAD80697A71421A86467B1C19B68B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464307Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:51.746{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-10359-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464306Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:50.635{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-3176-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001464305Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:53.086{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1E61D22865B83BDD2C53862F19861A84,SHA256=B762DA65F4582419BC192497F43A184FFBB9F836778CDA3390638FBA942E4E05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464311Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:54.804{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA22FB06CEF6F8096C31D0C8186545C1,SHA256=85628DE90BFEEA7C3ED3C5691B99A06464149DA867B580F35883EEE6666D94BF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558287Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:52.369{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65224-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001558286Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:54.285{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2941A9DEF4C9D3E81A6A3BECA05DC570,SHA256=539EDA19EB4BD7B17721546E3A76FBA45A85A1B540A1D3E3887A4D287EBDEDC1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464310Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:52.839{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-17018-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001464309Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:54.195{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9C1CB6D04EE8C868254CA90ECC59D34D,SHA256=4FCAAF6B868165099E61DC3427115794D20D0BB33D073BB5235FBB5CDA28708A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464313Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:55.804{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3419C6ABE6161A40C3998BFD10AB364,SHA256=D5EE2F1450C8DB619B162D0AC1DC8340C24613E8009E2A7DEC301D09FA55613E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558288Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:55.519{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF628A19FD6C6284B41B8C1FABC51F5E,SHA256=E577E9FB8A4BA4531DF03FE8699D3E1551114EF58781DB588DB66ABC2AB5E922,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464312Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:55.320{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DA2F52444AB0DA6C361E98272694A877,SHA256=D668FFFC86FE3B4D1589ED608C1506233722E19E9A34B029B9B05802697FCD3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464318Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:56.820{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F74F30A4AC49F92D8D65CEC85534D41C,SHA256=623AC6696629B4DC1946AD2CFA2594EFEDE46B87C50FF505E45E3D58635F0230,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001558297Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:56.707{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-3C64-6154-0205-00000000FE01}5872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558296Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:56.707{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558295Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:56.707{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558294Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:56.707{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558293Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:56.707{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558292Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:56.707{5EBD8912-18A9-6154-0500-00000000FE01}4165172C:\Windows\system32\csrss.exe{5EBD8912-3C64-6154-0205-00000000FE01}5872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001558291Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:56.707{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-3C64-6154-0205-00000000FE01}5872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001558290Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:56.708{5EBD8912-3C64-6154-0205-00000000FE01}5872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001558289Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:56.519{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAE9B6AAA9886F443E3D9E884CEDB208,SHA256=4D6BD75A47F32F1D2D19EB8CC6F80FF28241E188400B8F703A7BD2F915FAFA28,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464317Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:55.042{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-30771-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464316Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:54.881{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51617-false10.0.1.12-8000- 354300x80000000000000001464315Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:53.932{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-23452-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001464314Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:56.398{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=897E29AB4DE8CB27BE3D7E82CE503471,SHA256=A9779B04190226F2B21815FC14404B8B5BB2474F1335BFBE5961638BF74F5D3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464321Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:57.836{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D0B73722B4F238A3B36AF49DED3E95B,SHA256=62A023CC2E173B63C506B5BB58A5C724873386F4647BC3793043E4F49088AC12,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001558317Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:57.878{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-3C65-6154-0405-00000000FE01}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558316Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:57.878{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558315Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:57.878{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558314Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:57.878{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558313Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:57.878{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558312Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:57.878{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-3C65-6154-0405-00000000FE01}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001558311Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:57.878{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-3C65-6154-0405-00000000FE01}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001558310Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:57.879{5EBD8912-3C65-6154-0405-00000000FE01}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001558309Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:57.707{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=73389728BC4C50F8CACDE40E82B94BA4,SHA256=EDD05530BC5F508A1191F4AC31C2E8BA5FDAACBC87EDAEDA99C7331150A0F66B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558308Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:57.707{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8E75F7C94BFF8EB234E8EFB28FC52835,SHA256=FDEB20F8DB53485C42CC3BF50B3C318DB2AD46C83D5FDA53604F2F2D2C5F6926,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001558307Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:57.660{5EBD8912-3C65-6154-0305-00000000FE01}1006056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001558306Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:57.613{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D333E2CB32A4A523CB9B4F610BAEEE1C,SHA256=F53FC27265AFA8E1B07665F1A291F2413791D8D36A238528A1ABB3493D3F937B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464320Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:56.135{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-37555-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001464319Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:57.523{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E65307A39D9911077031AE94DD95998B,SHA256=D612D02B2B1BEE8536813F3E75420CF930816FF7D0A2196F82B451F5FD86DFA9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001558305Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:57.378{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-3C65-6154-0305-00000000FE01}100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558304Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:57.378{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558303Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:57.378{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558302Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:57.378{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558301Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:57.378{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558300Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:57.378{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-3C65-6154-0305-00000000FE01}100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001558299Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:57.378{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-3C65-6154-0305-00000000FE01}100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001558298Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:57.379{5EBD8912-3C65-6154-0305-00000000FE01}100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001464324Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:58.851{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E243833C617CE24B4AE296CE15AD2EE,SHA256=AAB12E1614F03F0BA3DCF6603BFDE68F8CDF2FCC329D462BC78C2B40E1ABCF92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558319Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:58.957{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=73389728BC4C50F8CACDE40E82B94BA4,SHA256=EDD05530BC5F508A1191F4AC31C2E8BA5FDAACBC87EDAEDA99C7331150A0F66B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558318Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:58.628{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC465C759A5BF9C182871CAF37FD4783,SHA256=B855F241D29388C3E55FDDB71188B5624F1211D0E3B53620E3954F9BA1280387,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464323Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:57.246{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-44693-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001464322Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:58.601{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AB87C96EE3C8F5DC443B8C9B4C483E40,SHA256=2601A43CD1D5A2CF2E7E559BFC39B8BA067D662772F16341CE06A574DC07C693,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464326Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:59.883{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=452F8708998ACFDA4F1F028C723CC25D,SHA256=5EFDD6ABAAC795E2284C45CF3076F9582881D1EF16401B774542E72B455776A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558320Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:59.629{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C64D19D62F0852B0C3896C7B41D81D7,SHA256=F1EB3E93750F3DFBD470BD712F69512BC5DDDDD8DBFE5052A4286A7947CC9F6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464325Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:59.789{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0E187C7545F64A07DD87586C8A95B58E,SHA256=39C8EE5B8EA4910A90C8835403BEAA43A29761079AA3D1ECC0ABC4053BE2ECEC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464329Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:58.397{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-51677-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001464328Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:00.914{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4C66AC174074E91AE2CEB732B9BAA4A0,SHA256=FDD7A50A07F9AB2CDFF269B97D955AB493D34422F609D02553F3DB57A1F2E278,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464327Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:00.914{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB019152C3B71E6BED84E2B1C46A2729,SHA256=6A058E4C6D3CC7323E73A77973BDF6EBBA5DD03D158B034110F076EEFE1D9AD1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001558329Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:00.754{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-3C68-6154-0505-00000000FE01}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558328Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:00.754{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558327Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:00.754{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558326Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:00.754{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558325Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:00.754{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558324Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:00.754{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-3C68-6154-0505-00000000FE01}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001558323Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:00.754{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-3C68-6154-0505-00000000FE01}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001558322Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:00.754{5EBD8912-3C68-6154-0505-00000000FE01}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001558321Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:00.644{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F113FCE6195F790B28B179816479254B,SHA256=5D37CF4DDAD0792F1D4AEACBEB1F93DC3ACF77195FA0A0F5432F4A272BE7DD36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464332Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:01.992{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=57C31B72952474AFC25D96FC09278C76,SHA256=2D4560B66D1257D92C429BCAA382E151D16A30BC60889AE8ED8C6D1BBFE959ED,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464331Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:13:59.527{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-58697-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001464330Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:01.945{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D49859D8AFE80CAB3790A0BBF88B0DD,SHA256=B0EFB108035FD2A567AEE12567A64112D02C7371C858361CD73415E690E83F4C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001558351Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:01.941{5EBD8912-3C69-6154-0705-00000000FE01}43562668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558350Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:01.754{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-3C69-6154-0705-00000000FE01}4356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558349Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:01.754{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558348Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:01.754{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558347Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:01.754{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558346Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:01.754{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558345Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:01.754{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-3C69-6154-0705-00000000FE01}4356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001558344Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:01.754{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-3C69-6154-0705-00000000FE01}4356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001558343Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:01.754{5EBD8912-3C69-6154-0705-00000000FE01}4356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001558342Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:01.675{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FEDA3B7D105EE3B200358431FD715E9C,SHA256=C4C9A12AF5314C03791CB56950058E8F4A65D07AD927A8E6C3FF64A4931AB3D5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558341Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:58.354{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65225-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001558340Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:01.644{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=213656D486CD02D5489344C12071C36F,SHA256=D1BCE2C09411893727736835C1B066AA83E004F7D19310A3882A333CCF488F6C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001558339Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:01.488{5EBD8912-3C69-6154-0605-00000000FE01}29205628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558338Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:01.254{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-3C69-6154-0605-00000000FE01}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558337Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:01.254{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558336Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:01.254{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558335Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:01.254{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558334Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:01.254{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558333Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:01.254{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-3C69-6154-0605-00000000FE01}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001558332Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:01.254{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-3C69-6154-0605-00000000FE01}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001558331Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:01.254{5EBD8912-3C69-6154-0605-00000000FE01}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001558330Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:01.012{5EBD8912-3C68-6154-0505-00000000FE01}61004932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001464335Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:02.945{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=673B03C822AD890AA6D5CEB7327ACE57,SHA256=6EC0932DEB802C84E8B11790BD5116D7BCC2DC8A1CCBDF6481F598604BA49643,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558355Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:02.988{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DC7B28529EC972B15A0E3B3208D12427,SHA256=E1AB1D2421BB48A406E97EF011792A346389189A7D79105AA5519BE30CD18A0A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558354Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:59.979{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65226-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001558353Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:13:59.979{5EBD8912-18B9-6154-2700-00000000FE01}2944C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65226-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 23542300x80000000000000001558352Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:02.660{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10337F9EA12C6C2B3554B16F039FDFBE,SHA256=ECE2F4A6FEA1C2139FAA73960BCA88B56DBD4B52FDD9C1789350CBEE4D600549,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464334Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:00.756{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51618-false10.0.1.12-8000- 354300x80000000000000001464333Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:00.637{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-6735-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001464339Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:03.963{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6BB0E9CCD6DAD7A8C538E7E9FE960D1,SHA256=278ED34F0FC16411EE0734A0B456CD09AFB838B21E3A5AFDCF684B972F03E486,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558364Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:03.660{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB10ABE7AB789A5CF329ACBE51AF0D7F,SHA256=27D80BBFD195D7BAED34924A8A0FE5D3897B65960332E4A3B6E02507E00B5AD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464338Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:03.903{69CF5F33-189A-6154-1B00-00000000FE01}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210929074117-148MD5=0702FCA431B00B594F1E453E1BACB4E7,SHA256=E8701800C5303E9A26BD1B4295F1925FD873002633D318A1D6DD61AA6CF56A5D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464337Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:01.716{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-13543-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001464336Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:03.070{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5152749B78DDC7B643191D1F20E7FE9A,SHA256=36479C62A39C40F2A4349252A7E78C25A248EA6FB6F59D10F6633C65C6FBB324,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001558363Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:03.504{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-3C6B-6154-0805-00000000FE01}872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558362Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:03.504{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558361Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:03.504{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558360Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:03.504{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558359Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:03.504{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558358Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:03.504{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-3C6B-6154-0805-00000000FE01}872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001558357Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:03.504{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-3C6B-6154-0805-00000000FE01}872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001558356Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:03.504{5EBD8912-3C6B-6154-0805-00000000FE01}872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001464343Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:04.977{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20726D79425DD5E0D23265C12499D3A6,SHA256=7C237B2213A066455FE3F73DAB98ACDD5BF4FC878FCC1B05FAF0AE53F379D958,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558366Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:04.660{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAAF673EC8741015EA0E4624843AB624,SHA256=06E5A21D496A74FC5ED8AFEAFC2A281B6ED18C3EDC01603A4730DD3F9625102C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464342Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:04.902{69CF5F33-189A-6154-1B00-00000000FE01}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210929074115-149MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464341Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:02.856{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-20309-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001464340Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:04.244{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B3867126820ABA01D0B2A6BA8899343,SHA256=7340483074104DEC1E298EB064BFD89BA905D6C2DBA6B4AEFDD8BFC37D65D125,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558365Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:04.613{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0EED16CE649622BC5727D8EA368ECB7F,SHA256=3187245267F73B20426C3DCA8E3523F23C4D3397C49DD741B0541AB7F9841F0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558367Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:05.675{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34AA32D932DBD9C3647AFDD94275AF48,SHA256=CDA8F29C2343E77DD923B6E0FA5B43E861F4B98E9AFBBE6D6367AB8EB5841505,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464345Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:03.994{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-27854-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001464344Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:05.368{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=676DDFCA594FBC22A4F0588D02C73F31,SHA256=E9D728AFD004A478A5E84F5FB5676D24D59130E75EB1BAD01128552163D87B26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558369Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:06.676{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F201F660D89FCF4970A4AF349B877CD,SHA256=37FC962B5C2994F65C46A21EC91470F15E1291D8248BDF687705FD6EA75E890B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464348Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:05.122{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-34708-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001464347Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:06.511{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F12A56E4053411EC09064DEF4F7B85F8,SHA256=04E1BF6407C0F4C1A0B7D64E5EF199A3431267B1E450DBD5CACEAE8655501713,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464346Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:06.026{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB610403F95C5673141AA663CDE690B4,SHA256=2C4E9CB226D28DD1D3A53966C433C6308A73288F4D19A94C6ACCD2F7A3ABAF03,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558368Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:03.557{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65227-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001558370Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:07.676{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=943D8A039AB6AC8F8EE2751A8BA2507C,SHA256=022B798BE1B476F079E4F5865E56DEB94603CF2B7C28CDA8C4BFC6A2F86EBC2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464350Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:07.745{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3A95E89D736702D3B3B66F98D19859A9,SHA256=6AF05E23968496F7EE33663E3DF85E3590983305E120F86612A3BEDFAC1F919B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464349Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:07.042{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFD2A025120D06F99B5EA3B073DED2B5,SHA256=640922D8624063EE6CA742E7591052163CC2337CBDCB543854362F70E347E561,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558371Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:08.679{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54A6984A0E20D2A3789671A184EE832B,SHA256=C18ED91C573C824717A17CF1AAC6470DD63392909C27AD7B7BA74DC3DCE65CBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464352Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:08.870{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DDBE3C5096893AF494F3FF7EE6804874,SHA256=A1277274605046FA304BF0F18BF1F77AF6D033A88BC896B797F9DA2D1F1EC95E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464351Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:08.105{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1270E345AB293E5F87EBEC4E8371E65A,SHA256=0B520633411E72972F50241C0CD07B70A6A3877E283470607F9AB1BDC9566759,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558372Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:09.679{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AB2026804C2B5EAFA45ED64A03AA499,SHA256=B88FC9AA9429E25A38E5A9D0E99936A32D71620BCE8B474D05EA98E9B0CC9885,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464355Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:06.262{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-41841-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464354Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:05.931{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51619-false10.0.1.12-8000- 23542300x80000000000000001464353Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:09.120{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54B5DC4EAF5727339049934BDEF493F1,SHA256=A6BCA822CFF959ED9A2D8E1FC4ECBACA30C9255141A6C54DD209DD3524A2E799,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558373Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:10.695{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7151CC70027E2581FD634E87A84F58FB,SHA256=C2A9C66BADC2CBCBC1D4A5D2049B9F453283E262237E933D8CB321E88F9EC06F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464358Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:07.482{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-49399-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001464357Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:10.151{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A436E078C9E91D8C4736E5FDE0653BD,SHA256=3D0399899EA6C85664C5C54864EF18E16D294CFE0BC245182C04E4CF293F7DEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464356Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:10.026{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A71CD3571791DF884818EF4B26FE0890,SHA256=298DC0CD598D0288ED1635449AD6531FB03149800743CD0CAA9A24E32B57C3FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558374Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:11.726{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6340D3A6921C9D3659C36A8EF9BC7FA,SHA256=3D6527EB79C80C3FA84AC923A3FD3C1105310B0E962973CC52B8A385718CAF57,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464361Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:08.614{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-56574-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001464360Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:11.198{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88582D12D148046167283D3A2C579375,SHA256=C993C02E95BBED5FDD4F024F62A31E10DD596E0EC55977952FA12BF89C88657C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464359Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:11.151{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8E052014F340C0E0E1BBD3122E0EFFF3,SHA256=28D59237047661602DEB87CCB652E02A3F5A67F27D0BCCCF557F36C598222C94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558376Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:12.757{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=911F76FF372BDF96CCC8BF8DBAB0C4DE,SHA256=65CF49D925A7B04E194C97F4652D5DA774210AEE63C37C6ED1B4572D493990F2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464364Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:09.761{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-4920-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001464363Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:12.276{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE1134A06B5338D70A97FC1094D44F90,SHA256=E0FE9D4FEBC257E78463C3C30FC12B0995983C65383B002B6448CE7485BAC122,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464362Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:12.198{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C8422A8F0D939FD9E239644801B4EB4,SHA256=94CA8D81FDF19AF4A872322D27B98F43DC8C6B943F8C3C2CFB8DC7DF22A70D51,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558375Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:09.498{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65228-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001558377Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:13.773{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44A4C06C44EFD18C83CE4C57A5A11711,SHA256=41EDE516599951A9A03D14F671365B5D06F419B69BA5918DD021178615B08ADC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464367Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:13.355{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=504342231530B07A7BBCB6BD628F4B70,SHA256=A502D01AB2CD1A9F3C25A7B024A3150BE3E33D073654B23C1B46917D5E061A23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464366Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:13.214{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7F5C7BF13A18B0F121853D23756A73D,SHA256=A217DD86F7025B6AFFAEA7C1EABCEA816555BA8E3F1DF9B2C1DF4616439C2A0A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464365Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:10.909{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-11882-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001558378Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:14.773{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=985B578677CBA9AADE26751198B3206E,SHA256=02C5566745F20D34B744F49465DD88674F4132D5063DB863476C9AB78FDB7137,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464370Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:11.869{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51620-false10.0.1.12-8000- 23542300x80000000000000001464369Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:14.433{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B649000D1FF58B155B4AA583CBEDA9D6,SHA256=06603163241F6F0E1DF7152C645584C682382C8003018419ADE4EC32D46DC2BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464368Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:14.230{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58BA2A6875856490BB38FD419039AEDD,SHA256=572846FA84744FFC6CFDEB3A2A3BEB27946BB7912D4973DDE9CC3B0846D3E2E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558379Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:15.789{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0988EE6F292E4735E73F71C8355B6902,SHA256=A02351293B3BA31ACA64AF6AEA215D1AE567934690B3257130E97BC3016205E8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464374Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:11.999{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-18834-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001464373Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:15.511{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8276A7857F8240816FD608BD41B69676,SHA256=EF367237B0952ECE26E5734493A44B7CBA412E6541CF9D6B95AA2D59E106BBB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464372Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:15.261{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78CB3CD5043D46CACB0862162CC3D9C4,SHA256=3BBBF679C5247113207D1F3AA4A8292F7E9FE8CFE8613DA093B7452D7C967D34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464371Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:15.198{69CF5F33-1899-6154-1300-00000000FE01}296NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=ECC90470F7828692B404E0D1CC721321,SHA256=0A737160A7DC8D714D764C6CDAA146C6CD0866521D7643CB73ABAAE96421F244,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558380Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:16.804{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3822CFAA4CCC9B5E433707A3EA1858BD,SHA256=57F0B6D8D8B638EDFCDF4D74B27236015C606498B35CF3ED40E492B390AAFADE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464378Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:14.156{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-32655-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464377Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:13.078{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-25857-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001464376Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:16.667{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E3413A9BCC4566BB76B6A2538BD0646F,SHA256=BDF50099244A75EEBC4A4F0A274F655C71F5A538D0AD898AB45E6469AE9C3F2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464375Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:16.370{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6F6E663E81F8828F7D77B744B05F13B,SHA256=920B4124830D2C77674ABFCF3E5C4FCDCB90895750578056C58F4FC9D6B81978,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558384Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:17.820{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B48078B081EB236CEF615695797A4E38,SHA256=A1AE727B824B541FC9F3DE21CC2B402755DB5CED45643313CAE2D23E66079382,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464382Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:15.277{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-39421-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001464381Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:17.745{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D1934DC64854899A16493D52C0F86666,SHA256=A9C048B59CA40670EDE7FE45DCF764252026287B701D2A6B78E26829031AAED3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464380Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:17.558{69CF5F33-189A-6154-1C00-00000000FE01}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464379Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:17.433{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18CE4BCB8A1A6D783855FA02F7FFDAE7,SHA256=264D1B942DD9A123C62E6E7D608D8C22516306D2D1B2FA0EE1363249260862FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558383Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:17.617{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D8613BD12BDDAEEB6C23F3AB6781649,SHA256=730F665926AE7DB43FD019D917EE577A2FB311EB711906B8A6831B5AC7838604,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558382Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:17.617{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4317DEA5BDB4DFF05291CBEE812832D4,SHA256=1DD2080D6210F3D2AC9F627036451B3D754547E3B4A2FD867B37B4DA2D88A7EF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558381Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:14.530{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65229-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001558385Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:18.820{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0817A40A97E42DCDF6D430E10448C7DA,SHA256=F534967244FB09EF8CAB9A31D517A50ABB86442EE7F58B5035B54BAE09C15517,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464385Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:18.870{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA9B33706FE8AFED933D00A8D8DC4091,SHA256=D274E84EED6DB28893909A5DCD8C6739F835BF344B79D3DE2A05130617E9828A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464384Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:16.389{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-46851-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001464383Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:18.448{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AE833780873292A7B7DD8CE112A590A,SHA256=79A0132257AFA1426695082BCA6691F15BF9F16194ED2580D9649F55674B7BC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558386Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:19.836{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E26B0940406856A7512861F41691238,SHA256=729BB84878EFF8B943CBA2D56C5E95028E184508AFB2E0F4B3A00F53138196E5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464389Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:17.482{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-53532-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464388Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:17.244{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51622-false10.0.1.12-8089- 354300x80000000000000001464387Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:16.900{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51621-false10.0.1.12-8000- 23542300x80000000000000001464386Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:19.464{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39DA9C998C854302B4DF6B6C0E9E753D,SHA256=6C3E06DFE5DE519D39B84928E095467205C653C42E2E5D77C5879602DC3530C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558387Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:20.851{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB851CB45C3D51C8CAF29634DBFA5BAE,SHA256=6B6767E6D6F6B3C8B2BB232DD56C30F50FDCD7054D4D33146421260246031F78,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464392Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:18.604{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-1856-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001464391Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:20.495{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC655430DB5FC86C917D19D93B904F15,SHA256=E1756C1FA05AD708539E8AE0AC5695EC97B33868E4B686DDAF68626F20FC1A09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464390Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:20.073{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A46890E9EC10D7DC77152F57143FAE9A,SHA256=0965F1166E0952DDFFF0F3B9CB1804C1961D5AB2F1B19F7682AF27A0750D6767,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558388Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:21.867{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F1C4C6C34A4A8A29DD27CDABF69FF94,SHA256=B118DC45AF01EED9E72EC6C1E9ECECB434C21E9A6CB6319AB7D8F541B8D7414D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464395Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:19.810{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-9283-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001464394Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:21.527{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A58BED6F7D09E7F026FA237556A0BD5C,SHA256=0C6B528F15232EF62CB326701C9D7C6460377E99E33DA9F881A03209EEBA0416,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464393Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:21.199{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5666A4811CA32BBA98CB8F382BA05522,SHA256=314DFF89ADEFA486A67DFE0522561DA2ADADABAED72BB388E035D5E9C5AC03FA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464398Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:20.976{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-16750-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001464397Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:22.558{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1138E61136A1B016FAA4F323BE3732BC,SHA256=BBEFF554D602411B47CF95DE95AC117AEB487A7DCE73C1EEF0A6EF99575E79FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558390Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:22.882{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=025D8F11AD75EB888F8B29E099A9FB24,SHA256=3B5627AD1021B58C78535DD4494FBAD71E011B9027AFCC8CAF499BCC3A9AD2DC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558389Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:19.545{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65230-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001464396Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:22.339{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B22A716F82D5B5EED8CE3CBA5130FBF,SHA256=A9433174B61405957FEEFF3441F74F3141B38D45DB9F6AEFEB7BFD53E2CBB81D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558391Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:23.883{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=208D417B8B4039AEDC175B3F985BF1E2,SHA256=C58F74C8E068337598A2A6ED4E7DC5D733771FD2841527A1A3F23447347D5E3F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464401Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:22.076{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-23549-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001464400Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:23.574{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A408271374413618E91F9A0E08E3884D,SHA256=EF9CEA31FE0D3CC0A35840994D8FE2CD874B0958C0F845DF0E9A3BB6FCD8636C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464399Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:23.480{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A06E794FE443B495F6559FD9266CAD6,SHA256=64DE6C6EA0EF5564C0992199D11993FF756827A7348D86A9BF722AAEEDBECEEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558392Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:24.883{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0EE9046D44BEFE74D5E63E5D2C4915D,SHA256=30421D5B81917B79308860286223BA56A028DB9CA8C66BA8C1B7B522D7CDB5C7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464405Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:23.201{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-30989-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464404Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:22.744{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51623-false10.0.1.12-8000- 23542300x80000000000000001464403Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:24.589{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73B4EBA9876960FF8DD0037412125AEA,SHA256=4486470E2747DA47E78AADD4BC3EB45563D8DE2D4FD6901EFEF31D19E5F08941,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464402Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:24.558{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D500417C189FD48FEED0CEDCB63B8742,SHA256=3D177290BE4E7CC1026810AB434530ED860D25ADCB7B5BC34219058A5BB79723,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558393Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:25.883{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0088730017A2FE15CEB0C1F7331809F4,SHA256=A65BEAF420E15C985A9BDE32BF9D241F1DD57D7AB39CE2675A2BD7DA5799AE5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464407Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:25.652{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=651FD82D302CDD90392525F619992979,SHA256=93101567E571C13FD457E7F72E8A2EFC955C0F2B71C1756AB77CE041773A4F05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464406Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:25.636{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01D79EAEE34788301FC28A84D71FDC89,SHA256=6E376C8D569E87B773F0D2F3AC2AF7BAACA7DB1B9442765849691C862DEB0AD7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464424Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:25.389{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-44763-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464423Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:24.281{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-37677-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001464422Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:26.855{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-3C82-6154-C804-00000000FE01}3996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464421Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:26.855{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464420Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:26.855{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464419Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:26.855{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464418Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:26.855{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464417Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:26.855{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464416Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:26.855{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464415Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:26.855{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464414Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:26.855{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464413Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:26.855{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464412Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:26.855{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-3C82-6154-C804-00000000FE01}3996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001464411Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:26.855{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-3C82-6154-C804-00000000FE01}3996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001464410Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:26.855{69CF5F33-3C82-6154-C804-00000000FE01}3996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001464409Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:26.777{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5BD7CD1F74C4E6D3B6514F12157D23AE,SHA256=97F9639DBFB9398EC52C9221DC50358D44824DAF07AC7153B5535BDB17C55677,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464408Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:26.652{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC1286AE2A99652B6103D5EAFB556F52,SHA256=4D057E6E79CDA44D4CE2F26B2FE18A55B7E0F6966DE83B314195BFF4C29E3214,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558394Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:26.883{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86DA3DE4F72D7FC822C876E9732B58C8,SHA256=CE603D48B52F3079AA67CC8DBE5E62F7FEC0FE736795506823AED41C5BC656DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558395Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:27.883{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E03A8C36F090E04BF2C7CFBA794DDB87,SHA256=678DAD9A345DA946361E1F3B7C4AC7524A7FBA5D85B9691D3BCB42E0AD23221D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001464438Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:27.590{69CF5F33-3C83-6154-C904-00000000FE01}384604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464437Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:27.355{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-3C83-6154-C904-00000000FE01}384C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464436Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:27.355{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464435Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:27.355{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464434Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:27.355{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464433Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:27.355{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464432Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:27.355{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464431Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:27.355{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464430Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:27.355{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464429Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:27.355{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464428Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:27.355{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464427Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:27.355{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-3C83-6154-C904-00000000FE01}384C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001464426Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:27.355{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-3C83-6154-C904-00000000FE01}384C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001464425Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:27.356{69CF5F33-3C83-6154-C904-00000000FE01}384C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001558397Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:28.884{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1F3ABB2FCA573C557FF71B5F967A5F8,SHA256=0C092F8042EC56A1F3C62F2B0966B21FD739187D78B244FF3897195CFBF0FB7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464440Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:28.027{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA1924051EBC0E9A9BE8A45C3CA9CE50,SHA256=779D0FF46166C96887C607922F6D7C2EA9C166FB3B4B879872F7E7D7DB6E29EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464439Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:28.027{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C3B840B0FF42D7837E2A1D173D39BA59,SHA256=F37759CC823A74BC32336B841D76438A12F10CC1AF474650DA1FE3C27AD4A514,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558396Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:25.358{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65231-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001558398Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:29.884{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCFB01867F8C0FE9B07384852A1D42C2,SHA256=6B8B54657CBE72CB3398140C03E81CF96BE40F6BB410B1CB38C9D404F93480A8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001464456Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:29.574{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-3C85-6154-CA04-00000000FE01}2512C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464455Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:29.574{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464454Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:29.574{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464453Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:29.574{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464452Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:29.574{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464451Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:29.574{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464450Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:29.574{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464449Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:29.574{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464448Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:29.574{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464447Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:29.574{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464446Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:29.574{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-3C85-6154-CA04-00000000FE01}2512C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001464445Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:29.574{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-3C85-6154-CA04-00000000FE01}2512C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001464444Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:29.574{69CF5F33-3C85-6154-CA04-00000000FE01}2512C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001464443Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:29.105{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=238B64379681AFD926DB5B03E48E2E98,SHA256=9121E2FAD1F35FDEFB21A4A6DF6768C910BD028FDE0F124111CF286046C1514C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464442Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:29.027{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6800849B2F9056D0E450E6DA19BB1E1F,SHA256=68C42B10399EC9225651A940E1AC4A74B17578A88675EBE23900F112E8A618DA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464441Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:26.512{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-52003-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001558399Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:30.915{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F65E23C15FA5B5C2AC9B0DF6D3149F0C,SHA256=F1E90D5EF738A917694DDFEDAD0DDB2B98480388FF7248E814BF4779C95335B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464459Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:30.183{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B69CB2D9842502CE1B1F15064BDE758,SHA256=544B3E48184EFDC23059000D8ACBD08E892FB2414D740FA347F9EC6E9C2D08E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464458Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:30.121{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FF29D60A7BBF80D27D9CC25EE2542AB,SHA256=297341C7A29A673E4270F2F04E0AAF25E4F53234AA150C37C9D56C8506D1F6A6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464457Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:27.639{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-59143-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001558400Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:31.931{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E69235AA3BF0E423106373996AA4114F,SHA256=85E2A8694D790308398989B4D41E66F64A67B47E31A4837FC55B7680A640260A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464462Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:31.261{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=165DC8F43BBE880AB3B8C7301C2E0A42,SHA256=2C5585D4C37D27CACCBA6A72CE375D26A44B86F9BF3D0B5B41199707B010F6E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464461Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:31.167{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=838130A2DD58A7A58F1155B565B01D4A,SHA256=DABEAC75384C968BEDA3E0F47F31BB40C565AD7E82C8136A7CECFD2D25F3797F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464460Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:27.931{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51624-false10.0.1.12-8000- 23542300x80000000000000001558402Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:32.931{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FC6EF029A28D85E4446A48F32D9C8F1,SHA256=0ECE49DE7D414AF67BAC14A75EECE594951E51DA9286EEEA0C9DE41FF70DD5F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464466Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:32.386{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8FBF6898C54427D4BECB15EB00C3A6F8,SHA256=E700CF9AAD8B62C68E1FE4874397F9DE88FE29FD859DC44B13BF3ED33BE0BC36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464465Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:32.183{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15ED49C9864D07DDAC67E0322639464C,SHA256=A03427E90602676DA28593A661D4C4CF0CEE810A6D4A60E4F2565FEA0E887BDD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558401Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:30.485{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65232-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001464464Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:29.905{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-14353-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464463Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:28.763{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-7166-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001558403Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:33.946{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=502333CF5C5EB1A83341221256043E36,SHA256=0BB46A924C956698EB024E2C72AF5938C3117A5FCD108E348F203226A298632A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464468Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:33.464{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=99D89A2CC0903C07F8681BC516B084CE,SHA256=DE7986D320B90AEA5B8ACD2E4C299530DD06F26B0C412726F7F6B8A61B4DF488,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464467Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:33.230{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62D6F9AD24291F4981C8604D53680B6D,SHA256=B9142EAE20862BBB9C800414CF2555DB68FC7325963FF67842D79005ABA1B971,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464472Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:34.542{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9E39196E0BA2A7BD5EB1B28B34AAEE7C,SHA256=0A86747F9E59145BCF6E4A02B18901C94DCB0E8D576FD96FA7904D8570A8064D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464471Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:34.261{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67C07B53519BB97731E6AE5BD19B7ABE,SHA256=8CBA513047C1ABC353D2AE6C7C62913EAABC16D26CC3DC1AE022E84948FAF76F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558404Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:34.431{5EBD8912-18AC-6154-1100-00000000FE01}444NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=075B532B51429BA8A2FA5FC03A265090,SHA256=01689A90EDDADA453BC549B450F4994EB6778A1365D27F4EE03CF76BCFF018E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464470Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:32.108{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-27922-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464469Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:30.998{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-20794-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001558406Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:35.309{5EBD8912-18B9-6154-2800-00000000FE01}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210929074147-148MD5=A9A42281E5AC80C7384A9CB787C868D0,SHA256=3FA67950307563E8508E097058F58FAD833FFA00CAA097776E12802F7A654FF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558405Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:35.120{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16058E1695AE986E207C2DD8BE56B9CC,SHA256=62E073D79C558EBC5CFBAAD502813BEC8187B9B61CABF9310B3893BE182B7F2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464474Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:35.792{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B71054F10C212828BE3DA4B3C8C0F053,SHA256=B0602B2E08FB5FD7D62630C4441729FF39E7F797A4848F68E416D5CA42B7761D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464473Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:35.292{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F694C88B2034C9A48DAA25C35AA7C598,SHA256=89D2E1CBECF1E623E5836057AD89BCA6FBE415B831087CFF247A00924E6A35B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558408Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:36.322{5EBD8912-18B9-6154-2800-00000000FE01}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210929074145-149MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558407Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:36.134{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9756D81B078CA66B339FAE8CB54860BF,SHA256=3C5B87AF44136535791C5AE76F7F054C48BC2AD7FE44467431AC27E503BAB54F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464479Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:36.871{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=07A3C24F6E2F186C8BCA6650FBDB2188,SHA256=93AC410F8321177D94ECD53A8800DD390FBF72728C6F140F49E3C140BFE47371,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464478Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:36.324{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=957AFEA99BDACA4F48697337BC7B5BB0,SHA256=B750670B48763FE3DA1D551921B5249387A3B36B6378DC6AC18C1A98B9FD1B12,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464477Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:34.280{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-41399-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464476Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:33.900{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51625-false10.0.1.12-8000- 354300x80000000000000001464475Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:33.188{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-34725-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001558409Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:37.369{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A251CFA25ED2959D2A7F1974A0C85ED,SHA256=74E8041C348FC864DF885451EEBB5FEA4B2F3F9DD00D3A173BD235F6226033B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464481Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:37.355{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4399E066D7A9EC0794CC9771F8AA8AA,SHA256=89AC2BA566B171B461F44EF2710BA32B7B33A76A6DE58A7B1E9EEC509E853EF4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464480Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:35.515{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-49238-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464484Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:36.656{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-56403-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001464483Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:38.371{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=434888737870C9402963F6A0F964D5AE,SHA256=DD744BBBA71822EC402760755743E8765F1561A4DC654216DE89C45C52DE8573,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558410Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:38.369{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25D648689B6A176F7552641E7ECDC15F,SHA256=E46877926FAB24A7E6CB21CB55344BBF4D15F0B3DA80DDFDDA6C659AF23C56CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464482Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:38.027{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9B82A0506239A077FACCEDAD02E70C9B,SHA256=D5B20E205BF8D5A6FE46B3565284ED7884E5BD572FF17B10A262EAD54944E5EF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464487Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:37.763{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-4375-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001464486Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:39.386{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=844959916A29D0B862A39F584A0BF5BC,SHA256=068BB08253CDD2E0319F4B5307FFBEB24B8F2A6F6424544F40F2F4166204D549,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558412Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:36.454{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65233-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001558411Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:39.416{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39DAABD5E973A280225935F318F81D07,SHA256=195FD9C893B54C01E421F55B690441C6C4CA211483880445B3AE905DC73BCAA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464485Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:39.152{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=270F1BB9ED384C8EBB208FCBD344EBE4,SHA256=A9E73C207EE327612C7941842A8F339AFABE9A3E449009EB0BFBB1C73555945B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464490Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:38.886{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-11522-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001464489Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:40.402{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FB831F8D7FBA90B01669413FEE2B22D,SHA256=2E305749A2D6613757D3E41F17D6195099DEAF8D2A7AFA11B77DB93658BDC49A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558413Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:40.463{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D22245FD2F77202934A299E5E95DE126,SHA256=04E7B8647131C73CEE82DB74DB8BD5082DCD192D76B3C0E541F855BF6EBE36C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464488Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:40.277{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=82273EEFBB0220BDC07142347DA46174,SHA256=E61B76662B99A4CBA2B0C219A6793F8C2990D7BF5628590FFF96561633F2D8FD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464493Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:39.915{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51626-false10.0.1.12-8000- 23542300x80000000000000001464492Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:41.449{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C203BB315FB255C5551474ACD5E58F00,SHA256=D62872BE665B6D6A7319981D300B9B08D9DD3AC1C9580045EAAAD466343C1E8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558414Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:41.463{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4985997836C390AC24AB23030F7D7940,SHA256=5CD0EFAC0F157D929DCC0E28535420AEAC2641D80C29E056F4EE9129C3AF0CD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464491Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:41.402{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D5BCCE2209789E18080859231AFDE232,SHA256=7BF61CDF8853CF20C2CC37D6571288140AA050E42CB6F6BFA06CAAB8BB22FF40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558415Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:42.650{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93402D2A3C651F6A5E7BF369B1840CEF,SHA256=35C9E09A5D25E657B9F2ACF03EC1334B4F7112A0ABE314A814E983A464831590,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001464523Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:42.933{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-3C92-6154-CC04-00000000FE01}2448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464522Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:42.933{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464521Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:42.933{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464520Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:42.933{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464519Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:42.933{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464518Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:42.933{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464517Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:42.933{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464516Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:42.933{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464515Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:42.933{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464514Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:42.933{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464513Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:42.933{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-3C92-6154-CC04-00000000FE01}2448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001464512Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:42.933{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-3C92-6154-CC04-00000000FE01}2448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001464511Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:42.936{69CF5F33-3C92-6154-CC04-00000000FE01}2448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001464510Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:39.998{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-18806-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001464509Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:42.527{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=70E813FF6054509F84BAF135BF929F19,SHA256=E72D7FA7646A26B4E4ECA42180E0CB1FB41E128C4524A6227187842A1BDA1E49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464508Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:42.480{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=134319A8867A513B04C66C9B581FA2C1,SHA256=38DDA511DBDDBF93D154C5B96FA0DF2F7B0459C2FE63FE0D12537654531CE47D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001464507Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:42.464{69CF5F33-3C92-6154-CB04-00000000FE01}1812100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464506Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:42.293{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-3C92-6154-CB04-00000000FE01}1812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464505Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:42.293{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464504Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:42.293{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464503Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:42.293{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464502Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:42.293{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464501Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:42.293{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464500Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:42.293{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464499Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:42.293{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464498Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:42.293{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-3C92-6154-CB04-00000000FE01}1812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001464497Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:42.293{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464496Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:42.293{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464495Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:42.293{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-3C92-6154-CB04-00000000FE01}1812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001464494Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:42.293{69CF5F33-3C92-6154-CB04-00000000FE01}1812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001558416Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:43.650{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A349D4EAD839F013A9B62BD14FDED48D,SHA256=2FB82DD587558661B2D5F02ED6A88A655919B6A5B4D88314A14EDA8FAF947429,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001464554Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:43.933{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-3C93-6154-CE04-00000000FE01}848C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464553Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:43.933{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464552Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:43.933{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464551Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:43.933{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464550Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:43.933{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464549Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:43.933{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464548Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:43.933{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464547Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:43.933{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464546Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:43.933{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464545Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:43.933{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464544Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:43.933{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-3C93-6154-CE04-00000000FE01}848C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001464543Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:43.933{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-3C93-6154-CE04-00000000FE01}848C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001464542Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:43.934{69CF5F33-3C93-6154-CE04-00000000FE01}848C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001464541Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:43.730{69CF5F33-3C93-6154-CD04-00000000FE01}2884624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001464540Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:43.683{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D765C848203D6DC1595EC41ED048A111,SHA256=2DC203066AE7ACF710288BAB86259D0FE5F47B9241BE41D7DA46CA51A5DFFE87,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464539Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:41.139{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-26031-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001464538Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:43.558{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F30317AA4679002A0FB2B5CE808CA37,SHA256=E01DCB695518454ED963783365056E2F890D1B003373DA0DD2DBAE99DD8A8344,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001464537Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:43.433{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-3C93-6154-CD04-00000000FE01}2884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464536Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:43.433{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464535Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:43.433{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464534Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:43.433{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464533Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:43.433{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464532Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:43.433{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464531Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:43.433{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464530Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:43.433{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464529Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:43.433{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464528Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:43.433{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464527Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:43.433{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-3C93-6154-CD04-00000000FE01}2884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001464526Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:43.433{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-3C93-6154-CD04-00000000FE01}2884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001464525Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:43.435{69CF5F33-3C93-6154-CD04-00000000FE01}2884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001464524Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:43.183{69CF5F33-3C92-6154-CC04-00000000FE01}24483796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001558420Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:44.963{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4215F758AB86B567A6242DA82B8E9E30,SHA256=2822B39FB94AE747BA9946C5F22E5C2F72FD3A2DD484B54B08F42BC011EFD631,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558419Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:44.963{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D8613BD12BDDAEEB6C23F3AB6781649,SHA256=730F665926AE7DB43FD019D917EE577A2FB311EB711906B8A6831B5AC7838604,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558418Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:41.454{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65234-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001558417Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:44.650{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04C6582084334E3AF2BAE29168F28AF6,SHA256=5BEAF42F996802B3D898234EBD90DE90E982365FA0704002385B8E23974D6B62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464557Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:44.980{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1DAB6148EC89F64F30CA39144E42ED04,SHA256=4FDBE13C1C6664536DC2E1B5A7ED30C944124A05905F7100BBBC2FDF5CED34C6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464556Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:42.261{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-32948-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001464555Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:44.574{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCF88084718DFA4EF8691129B3E26688,SHA256=EF73FBE7471996BFF3AD60F301A7B82E32FB9D322A34198AEDAD8CC1E91F3491,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558421Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:45.713{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ADDEFF78F8797F204DC18118BFB1363,SHA256=40850FBDA850B057B48A6E86DDD92FA887D1DABB62942C7494E620B26253EFA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464558Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:45.621{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB5A76BF0998188E62F6F5B4D329157F,SHA256=4BCCC10896729B7FA03B0C482A9DBB71D7C7854CC2A9A288691BA663FFB9D531,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558422Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:46.775{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4168F5D37B45DF3DBAC8A9327EA81CF,SHA256=8352F16FC0E16E260AC2CBFADEC51433151C75341AC94ABE6869EBD6CF26B4A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464560Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:44.931{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51627-false10.0.1.12-8000- 23542300x80000000000000001464559Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:46.652{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3B620DFD568332FDEE6FC84F8605BA3,SHA256=FEF869C6A74C8041A51F4943D97878FFB5A674B3E5BF7E996D0EE1046EAA25B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558424Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:47.791{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6699C94AE9A6DFF79D5AA72947776F28,SHA256=DBA8AEC9A497210E6D0626A2ABDF2A0A5F7EA172D62D538225FAFA250000AC62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464561Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:47.668{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3F111230E61EC0D7FE6BA5169A576A4,SHA256=D68D2350A3AE260A7C4C108EBB9A00D86871A9824865C3734176ED272E106B80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558423Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:47.619{5EBD8912-18B9-6154-2900-00000000FE01}2960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464562Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:48.683{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6F3CDD7FA5A567512726CDA37D54B86,SHA256=8C1EB32315395F4E34DE904E646828E0730941067FCCD0318FA8F551299561C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558425Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:48.792{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98EE11910CA7DEAAD421B19B4051B8DE,SHA256=B8204BFA2334F215723781474907A3E8B87AE2237AED528C032F10A9FA7126A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558428Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:49.792{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE047A8C5FD1B10ECE902BF98610F85B,SHA256=9B884CEB5D5AD053B6F1269E2BEEEABCC85971E8BB50B3C1CCB8D1788EF6DD03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464563Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:49.730{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5DA39BE5B12F8CE0BA9118D37468F9F,SHA256=4A0D0B227195F3E255C8538C65CD9AD37B045587562B77B043B1D5B496793889,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558427Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:46.923{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65236-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x80000000000000001558426Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:46.505{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65235-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001558429Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:50.792{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1618BC0CF38B370E24D42713359D2C93,SHA256=DCD79504C3F718082C6FEB4F271082C98E238D03A39CFA63E62D5A75ECECEE54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464564Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:50.793{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93D6865D6A083CED2E22E7E128559EB0,SHA256=578FCAE2AA8F1C4999B5EFBCE594DE7BEDD63C1772586AE2B69923C551721293,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558430Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:51.792{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A84E12558C881845ACF18C107FA62820,SHA256=A08A2F59B29736301C605A4A4EA5FCC85092EAB8FEFB8B3B8B3F1C225F03B469,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464565Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:51.840{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FA21CF73785235636093EF265718A6C,SHA256=A5F43C1C137A0B5CC5A569A69243C1F764B58E70FCDC25FEE274EF5762B76D52,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464567Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:50.806{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51628-false10.0.1.12-8000- 23542300x80000000000000001464566Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:52.886{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4005C4DA3AA8A5FA15D7653E1056242C,SHA256=BC51E17645A3FFB27386CAB1F6C07541C341E7AD2A056C8A5EE18194204B166B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558431Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:52.808{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=416456E3FA8C34CF7E677E21DB5E3D23,SHA256=BAC7FEFF0F692A1F220B050B71C2E4754DDE97510A2C03C2F675B04B75C9E498,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464568Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:53.933{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3719B1250336158D5D5F398EF3D0885,SHA256=756CED0BC21AF45DC66BB2B6522C0FA3E5DA37D1E4C65F6A88E645CB43A1E8E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558432Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:53.808{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF6B5030B6BC6CE5107C6C4478664358,SHA256=ED9731FB90F2387BFD2141DE27CE7BD29CACBC1D5D21C703DC22F9056AF6BE27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558433Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:54.808{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30624859E79A6C625D144AFAA3F81019,SHA256=378A5ACD497D69BDE0907E08E08F5F66B5F04FAD895B974B06E46086CDC9AA0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464569Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:54.965{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14F5898A98E8F77C760580C4E0D1790C,SHA256=1F6BC0CCE14E2ECA04831E50A962AB54CD19940124BE62D26C86E87F5667A4C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558435Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:55.808{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B41D6A3D2CBB647EA87A95514A99D05,SHA256=047658F6022C6F6DBB072FA203545F7EF76CB9E3118764AAD1AA169562FE622E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558434Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:51.518{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65237-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001558445Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:56.949{5EBD8912-3CA0-6154-0905-00000000FE01}22963376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001558444Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:56.808{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E87AC8018F8931AFC353267B30BF09F,SHA256=7BC3185B07659BB47C27AD512E440C7D36DF58AFACE69E6705B91D71E2712410,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001558443Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:56.714{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-3CA0-6154-0905-00000000FE01}2296C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558442Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:56.714{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558441Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:56.714{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558440Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:56.714{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558439Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:56.714{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558438Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:56.714{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-3CA0-6154-0905-00000000FE01}2296C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001558437Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:56.714{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-3CA0-6154-0905-00000000FE01}2296C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001558436Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:56.715{5EBD8912-3CA0-6154-0905-00000000FE01}2296C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001464570Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:55.996{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3BFDD2366F41511D0A7A2AAD4C39A65,SHA256=DBA77018E768EC15AAC811C0A90C526E481A0ABB93C61CB3742C7E15B4E38970,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001558464Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:57.886{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-3CA1-6154-0B05-00000000FE01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558463Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:57.886{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558462Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:57.886{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558461Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:57.886{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558460Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:57.886{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558459Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:57.886{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-3CA1-6154-0B05-00000000FE01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001558458Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:57.886{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-3CA1-6154-0B05-00000000FE01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001558457Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:57.887{5EBD8912-3CA1-6154-0B05-00000000FE01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001558456Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:57.808{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F26BAE3C72C0F42C0A7346C641C1DFEB,SHA256=D164B104A0268DF5E87C4C25B60E768E31BBB62AB243D0028F8227CA0D976844,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464571Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:57.027{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2AF1DE75F7EFC0A982C792D76168542,SHA256=8CCE1885E48B25BEE725523198014543770655F34EE45C9EB46C5D39A2A336E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558455Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:57.730{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=871A929B99586E8114549A6DDD87288F,SHA256=7F31CF5F34BE145F182BB103CDA3D0BA932CBE439802F121FA0E340C70517DC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558454Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:57.730{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4215F758AB86B567A6242DA82B8E9E30,SHA256=2822B39FB94AE747BA9946C5F22E5C2F72FD3A2DD484B54B08F42BC011EFD631,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001558453Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:57.214{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-3CA1-6154-0A05-00000000FE01}2812C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558452Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:57.214{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558451Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:57.214{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558450Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:57.214{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558449Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:57.214{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558448Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:57.214{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-3CA1-6154-0A05-00000000FE01}2812C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001558447Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:57.214{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-3CA1-6154-0A05-00000000FE01}2812C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001558446Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:57.215{5EBD8912-3CA1-6154-0A05-00000000FE01}2812C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001558466Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:58.886{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=871A929B99586E8114549A6DDD87288F,SHA256=7F31CF5F34BE145F182BB103CDA3D0BA932CBE439802F121FA0E340C70517DC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558465Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:58.808{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BCCCE12A3D853FDEF9589F4DB499DC7,SHA256=010DE0052E069E21B8AA3753C38BC6CF13C515FE70DA50A3BE6EF0B64731B587,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464572Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:58.058{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7840E7A9E66366E1BE567F06F162287,SHA256=06EFE5C7662A93DBD70395BF6D2F6845E61C6ACD8FCE7203956E4A7E225EC196,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558467Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:59.808{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C164549C92707D2EE6BEE880E281273D,SHA256=C91AF1C2BB58B0E6C891998C400895227A176D403109E9AF83767EB8C4213D8C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464574Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:56.821{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51629-false10.0.1.12-8000- 23542300x80000000000000001464573Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:14:59.105{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7D920988DC926CC6EA8A2FDA21346B6,SHA256=0604DF8C1F3713B13C74F689AE77EB9A0CC300174450E98F9D3457EFAFABDCB5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001558478Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:00.933{5EBD8912-3CA4-6154-0C05-00000000FE01}42165692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001558477Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:00.808{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C5BBA3FA3EAD3486C7451DC3228E2AA,SHA256=16C62A0674CBBAABEDAF16B39C246FD3207B94243CF473A06CD8EF17AD168709,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464575Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:00.121{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6743AC36D54617D3BA484E8768EB0EA,SHA256=D5891794E5F44251B5C324D5ADC48F08CA400102C622A32BC076EB910019CECA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001558476Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:00.746{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-3CA4-6154-0C05-00000000FE01}4216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558475Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:00.746{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558474Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:00.746{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558473Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:00.746{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558472Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:00.746{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558471Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:00.746{5EBD8912-18A9-6154-0500-00000000FE01}4165172C:\Windows\system32\csrss.exe{5EBD8912-3CA4-6154-0C05-00000000FE01}4216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001558470Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:00.746{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-3CA4-6154-0C05-00000000FE01}4216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001558469Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:00.746{5EBD8912-3CA4-6154-0C05-00000000FE01}4216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001558468Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:57.380{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65238-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001558497Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:01.949{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-3CA5-6154-0E05-00000000FE01}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558496Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:01.949{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558495Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:01.949{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558494Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:01.949{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558493Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:01.949{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-3CA5-6154-0E05-00000000FE01}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001558492Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:01.949{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558491Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:01.949{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-3CA5-6154-0E05-00000000FE01}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001558490Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:01.950{5EBD8912-3CA5-6154-0E05-00000000FE01}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001558489Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:01.824{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD2CFCD0D47231612F0DC1D1EFEC95A7,SHA256=B3FC3D429104D7BA936AA7E3A29D68C68A781FFFE72D4F0CF2085C550CC0DBB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464576Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:01.121{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15F8ED452DD0846D363F7388696BAC2D,SHA256=399E98E23C624658B26529D6E0FF7D8D21EC9E5509079AE2A67BD50476AE1451,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558488Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:01.683{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=712ADAF1B97CD075ED30ED42171C5122,SHA256=EB8B4BAACB6DC8B38BFF085E2EE257D24DB7923BC0750E901AD64A6DF63F8BDB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001558487Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:01.480{5EBD8912-3CA5-6154-0D05-00000000FE01}58801892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558486Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:01.324{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-3CA5-6154-0D05-00000000FE01}5880C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558485Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:01.324{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558484Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:01.324{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558483Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:01.324{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558482Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:01.324{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558481Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:01.324{5EBD8912-18A9-6154-0500-00000000FE01}4165172C:\Windows\system32\csrss.exe{5EBD8912-3CA5-6154-0D05-00000000FE01}5880C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001558480Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:01.324{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-3CA5-6154-0D05-00000000FE01}5880C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001558479Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:01.325{5EBD8912-3CA5-6154-0D05-00000000FE01}5880C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001558499Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:02.824{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00718E3BAC36DF81190DB69F169E7263,SHA256=34D19412462BB1733957CA97AF6D1F67D08147DA17DF6B279629172629A0DBC1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464582Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:00.807{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51630-false10.0.1.14-49672- 354300x80000000000000001464581Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:00.753{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-9575-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464580Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:00.728{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-9320-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001464579Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:02.137{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A4D682A38819F53A79DF5FCD7C00991,SHA256=F86D2CED7331308CD0FAF6EEC654A3E039EF678E752AD2F9B7FBCF28A8874181,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001558498Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:02.183{5EBD8912-3CA5-6154-0E05-00000000FE01}10005148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001464578Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:02.121{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A29D6F53718739424D590DC15F9E1E00,SHA256=D00A388BB96CA20F39BF4E375555153EDD9AF21811EB7614CAB7C522FD3FC40F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464577Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:02.121{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9D479B5E22AD55311FD7D00235F972F2,SHA256=4B87E35EE290D1F8DF9E3B2AD84E1566EAEAACF84FB832971F8B328E4F48F619,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558512Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:03.824{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB243A3C9B2A444CCE9518686594BDDD,SHA256=02405E4C120BA54BB3E12B332A77F7CAF43C5FDCB106D5EBD9D6CAB27C8CAB00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464584Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:03.184{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A29D6F53718739424D590DC15F9E1E00,SHA256=D00A388BB96CA20F39BF4E375555153EDD9AF21811EB7614CAB7C522FD3FC40F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464583Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:03.152{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1990F0801126AEC933EE3AEF471796FA,SHA256=7D9A3085DE6685D5EEB8BABBC9A0132F554D0973D807D09C5267F9998C2BA7BF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001558511Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:03.496{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-3CA7-6154-0F05-00000000FE01}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558510Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:03.496{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558509Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:03.496{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558508Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:03.496{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558507Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:03.496{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558506Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:03.496{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-3CA7-6154-0F05-00000000FE01}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001558505Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:03.496{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-3CA7-6154-0F05-00000000FE01}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001558504Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:03.496{5EBD8912-3CA7-6154-0F05-00000000FE01}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001558503Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:00.475{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-54251630-false10.0.1.14win-dc-429.attackrange.local49672- 354300x80000000000000001558502Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:59.987{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65239-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001558501Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:14:59.987{5EBD8912-18B9-6154-2700-00000000FE01}2944C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65239-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 23542300x80000000000000001558500Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:02.996{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A3159DDBB9BB23299B923D6917FC249A,SHA256=31E8EA9735574D7FF6AACB1C709E56CBA2341695A2019915871F66C778ADEFF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558514Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:04.824{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38E625A4E65801F3E514754C0BEF2415,SHA256=E2D8801C529B85BF88409AA0CCCEE743EC89A4AF3CB9A224676B5D46635D1D6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464588Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:04.402{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=490345D5FE5903CBB9D63593F9AC2C90,SHA256=3319AC50E8697865BAB53CBBAAA14B890DC89F94FE1D31F17F5754A58BF4CC26,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464587Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:01.868{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51631-false10.0.1.12-8000- 354300x80000000000000001464586Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:01.843{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-16554-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001464585Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:04.184{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89B1C4BB936E959C388A9C73EF2D8C25,SHA256=29547E0D5FF4BAF816DB5328152804ABBEC847812723D1663F708A0A8AF5091A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558513Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:04.496{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=278D47947FA8294E251F21D27F051807,SHA256=741BB2572D3E7EAF8A4E1341B2FDDE1ACF79032A98702B78E38263CA46D521AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558516Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:05.824{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A92B1AC32AB42C4BDB03C7F69C7D58E9,SHA256=50DE6FF86D93F54D6846BDB01815A8F68E2C1F29D3F8CEBC6119C51649A68BEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464592Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:05.517{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9AB34924BBC2AEEE6EB757455D6138B2,SHA256=E9BA729F3CCB03A0CCD64F41F72DDEA58E8E1A4F77BE672ADC84D6EEEE9B8520,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464591Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:05.434{69CF5F33-189A-6154-1B00-00000000FE01}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210929074117-149MD5=0702FCA431B00B594F1E453E1BACB4E7,SHA256=E8701800C5303E9A26BD1B4295F1925FD873002633D318A1D6DD61AA6CF56A5D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464590Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:02.934{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-23484-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001464589Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:05.186{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CCC28E80A02B4FE0FF4AAD547C37C47,SHA256=D8C644FACD08686A118AFA300AE72986AFCBB9D4E0DE87191E4164EEAB407717,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558515Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:02.502{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65240-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001558517Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:06.839{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42A1AD8F005BF5B9174649F8F0BA5F98,SHA256=564FECECC48F658698D3615BB723F0EB8E5127DE8778BDAB8D6726659350AA41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464595Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:06.532{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D1720CC03611FF2DC1872C383A24BE4E,SHA256=99C44C4166C3F19DF7B98B0F9091AF0D624C88EC9CE699CEECED54511E14C0A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464594Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:06.424{69CF5F33-189A-6154-1B00-00000000FE01}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210929074115-150MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464593Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:06.189{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5298209E83C5EAC3BC3CA2AF619F1AFB,SHA256=EC90B5EB591D2F3A6E9A6790AC685CCEA67FBF38B8223A9D8A787B474101FF54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464601Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:07.660{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A014553DC7F0F5D0CEAC6D70E12F9C25,SHA256=9386D19A560E3FE9E49E22B3E077506D1CDA0FB3E300513A6BF023D705854C2E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464600Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:05.269{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-38494-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464599Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:05.136{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-37630-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464598Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:05.095{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-37380-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464597Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:04.136{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-31203-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001464596Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:07.191{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CC129DCD47B75DB3C13F7983554EF8E,SHA256=D9B95634F5848E0B3CE004F2DD66246BF4424CAE8F2D5865B40C50EFCA607133,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464604Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:08.754{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=182BA6D4C9B61A4DCFDEF4F8EB0D5AEC,SHA256=C854D4EA1718529A45F0777181976C73C538F8BF81A009D93EB9CD3BB02829DE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464603Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:06.267{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-45086-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001464602Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:08.254{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF2B633152C3CFFD8756D6F1AF3C33D4,SHA256=C45549A2D9A94CE6B389FCEBDAEECF5E0A3391BCEBF13320A8478A46A55C4137,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558518Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:08.074{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C34DD8F7896211150ECEA43D213EE10,SHA256=BD7DEBB037576C36DCBE765E53A47EBFFD8B3B2CD51F26E7179FBDDA3F9B4742,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464607Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:09.894{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=523E7DAC1A97F24295D0356EFC5B56F0,SHA256=BD9DE1E7D1D456CD97C843F2CE7EA755A4E7F2473D1538C5E528CDACD1B88BF6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464606Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:06.393{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-45903-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001464605Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:09.269{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=881A8304B4826D654DCC89C8434056F9,SHA256=33A430876C46ECDA60F47EB539E05048D656F41869C2C06658F42468C5BF29F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558519Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:09.094{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1353793E351749E7925C3A13D3028A96,SHA256=E57C0E01ECB1AE5A2A4C681427CAD327C41432BC8F03C006BF35D80C42AECC77,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464612Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:08.487{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-59305-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464611Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:07.892{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51632-false10.0.1.12-8000- 354300x80000000000000001464610Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:07.506{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-53175-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464609Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:07.381{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-52315-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001464608Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:10.269{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F277332530C7FF7AD112FDBBCFE1D5D5,SHA256=BC100C7C4458184D7E19171AD45B8678CD06FEFD71685047280B06EAB0EA0D80,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558521Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:07.565{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65241-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001558520Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:10.094{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98DD2EE33F6F61A401B953ABDF30D5F4,SHA256=164F4CA53C49EA0A6475D52610CEA6D0B72D1055A009E2DC6C00664A2DE0A9AE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464616Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:09.616{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-7818-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464615Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:08.585{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-1090-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001464614Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:11.269{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6D4498AD804E2A2EAC84807561AB13D,SHA256=4CA2158981D8054B53F14061F78A4CFC1FAC689E9181CDA3632B657E42841278,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558522Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:11.110{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FC914EDF8898603CB9F001D7E022936,SHA256=FAF32A4C0D37BBD9E7DA4A59E21932283D9ADEDF45FD3EC771C4A5A085DF920B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464613Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:11.035{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3C2B1D8DF209048494B3018FE3DE5F98,SHA256=B4FDAC5AF24A6E96D88BA9757B54C71B6456176D09B1F78CB4EE6C8533A55B07,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464621Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:10.803{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-15317-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464620Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:10.784{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-15069-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464619Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:09.709{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-8182-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001464618Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:12.285{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9049C112AE98CF2B6E64A8D71143885A,SHA256=27E4E07ABFFF7FE81415756DE4B09F7B431BF136AF0E2CDB7CC9AE83D092C688,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558523Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:12.125{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE147D9F1101727763EF096902D0B5E1,SHA256=391D1789B04957E81D2B186CC178A8551EB811DEC8E959FF728E7F663833B97F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464617Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:12.160{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D0F150C2B8AD290E2892521ED59DFB39,SHA256=A14041F3D1273E149D51FA00A89D175DA34902C082F9D70CB462CE153F6448FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464623Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:13.301{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A02D184C1FACA874CED96DA2CF1EB20,SHA256=B60A392822B17FF1CDA5FFCAEA23A7AC49B88AF68A151C8509E5DC55F0F1AA10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558524Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:13.125{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFC2504B8EEF327E38C8EB6093015630,SHA256=A59A8E8566206AB9D48E0649D7FDA09E52A2BCD8D7D5D852FB0A51FD6C682883,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464622Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:13.285{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5DDE15B267C79747BE0F5D2BBE348583,SHA256=40D6C509A0ACF83E6E1EED8993A3267C5AB7E62AE61477EEB6F85C7FEB4DDC79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558525Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:14.125{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87C6A2DD1BC7720F8F12899CB7105C56,SHA256=DEB63DB2E58C95B5940B49793B6C67FC99C664EEF11167ADF31AD639C454A6CC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464627Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:11.912{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-22420-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464626Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:11.896{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-22314-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001464625Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:14.394{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9AFDE01D87CECBC1F9BFE872FDA0F5E1,SHA256=BCFFEB2602B94FA0A8C1351D65D358594A675C46541C4BEEAA9A033B921068B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464624Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:14.304{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89837CC4E234D2BDD37471978307C136,SHA256=30EC594495592B48A61D70D6EA4B9ED90DB6BF7D206C03B4EA2337CE3C271BC6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464632Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:13.058{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-29630-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464631Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:13.019{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-29492-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001464630Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:15.660{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D4E0D8AE05F09E3A25EBC51FC208DDE,SHA256=4AF586337E86D31F38C33B7BC304E6C0CF5F589C5ADE3D6FCB3D78CEBA46C43C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464629Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:15.316{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1472933FA906AFF5BC769A710672B2F,SHA256=81C128D48B9076589D0226F4EB35E455418EDC8100C64220FDB228CD25385E1C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558527Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:13.413{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65242-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001558526Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:15.344{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B24834A05AD1B8B1BD8E88FD25BAB95,SHA256=0770A0F7621F40FA85574FC08D613BA4A972124A22B0DB1C4CFC745037D83F75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464628Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:15.207{69CF5F33-1899-6154-1300-00000000FE01}296NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=1974A1CB68122A4712C94EB2D1583695,SHA256=9CC05880277559C836FBA3392A29E42F78FB8D428D977FF04BE5282492C8CAB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558528Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:16.344{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE5B003EB972DDA2E21EAF703C036E7C,SHA256=1AC0C907B84A8FF5D0075D9F27D1907DA5231E9FBD6529E3679ADA6A6D3C6769,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464637Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:16.738{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F4282621EA60AE62927F4234CD02CCB2,SHA256=76028180602C4460D417C52FD5FD57AC4120E8733167EA7AA49A6A347B5ECA62,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464636Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:14.310{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-37529-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464635Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:14.131{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-36658-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464634Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:13.907{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51633-false10.0.1.12-8000- 23542300x80000000000000001464633Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:16.332{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECD3040A263FC82E0EED1FA726C542AC,SHA256=93B6D0A260C0BB8E87FB4CEFE2FE0264F7DD8085D80343030AD18ECA6ECC1CDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558529Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:17.375{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A00C248D8DB770525EB6A4B068349D8,SHA256=6AE24F5542D8E01FE31F0ECC48585F1639A228BB3B563751C98D06E452F05B07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464642Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:17.832{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE269F627E651B9BF7A761D290709F46,SHA256=440D366E262915FB680A5716AEE1215B668AFB31B160DB6F8782BE0E20AFDF20,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464641Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:15.427{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-44685-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464640Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:15.381{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-44490-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001464639Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:17.582{69CF5F33-189A-6154-1C00-00000000FE01}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464638Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:17.379{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C036E9A197D88172B80273F74A5BFF0,SHA256=9B8C81F0F4F5D4BBB49D91C663756E87898C99B911BCB39B300424FC087A5AD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558530Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:18.407{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBA38B61748BEA368B53A6A08CDEC460,SHA256=21666A96462040E685EC19FC2CD14770B57976435B5BB4240B82CE3CC95B7FA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464646Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:18.957{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1A053CE0A0D93580044E25157CB59A60,SHA256=38D376591B43AC64329D827C44AE97B9F4C37722EDF8274390663F44266237A3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464645Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:16.537{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-51992-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464644Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:16.466{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-51443-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001464643Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:18.410{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3046516ABAD16B4B6A468E2FCFDBCB2,SHA256=65CBFEA920202BA3A6A333AA4B3D32500D20CF2A8480A149F5634ECCF1DB3A7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558531Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:19.407{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=446BE9A5CBA098C4648E865BCBCBC31D,SHA256=DACF099F0B18C91D3F6831F79F5C183BB5B6BD9915056C78D65580204EEB8672,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464648Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:17.266{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51634-false10.0.1.12-8089- 23542300x80000000000000001464647Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:19.426{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEFBE879818ED7CD9E243768FB6211A8,SHA256=E0BBC0CE300F01C085F2A1C38797F24FAA5578F77766773B39E377DBE93BE200,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558532Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:20.610{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08B9339764EECB44CD7EFA45C458BAE0,SHA256=DDABB0DC6026FCB982FD9C95BFBFE933E26739EBB5D96D14E59F90E1915C5F93,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464654Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:18.809{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-7147-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464653Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:18.678{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-6524-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464652Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:17.616{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-58604-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464651Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:17.568{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-58177-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001464650Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:20.488{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0109B605181DE288FA153B200892FE3F,SHA256=14642BD32E96C778BDB0B4D70310FE64BCC8D12300FFDD15F40649EAC30132F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464649Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:20.144{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4AAA44C8577B5D6A49BA72CAF8EBA4D1,SHA256=5CAF27B09BB0BEC09FDC94ABF30BDA1F1375E8E04DFB834CA7F461288B64E0DC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464658Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:19.866{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-14069-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464657Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:19.813{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51635-false10.0.1.12-8000- 23542300x80000000000000001464656Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:21.504{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F3A33D763DC05F9CA0ECF2CB6DE05AF,SHA256=DD927FA43CB873BA65DE8C466E908427E31FD51CAF11111E699BF9BCB1CE2315,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558534Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:19.382{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65243-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001558533Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:21.657{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89536C36E6201A0D75D947B4B8A6BD51,SHA256=6A59AA6A51D73E883E2CD3625143B250BB0FCE6A7B58ED75062E0E7B23CC8F6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464655Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:21.223{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1134D134F7E66D15C14F6554B2851D21,SHA256=2287E4E235431F4F99763B9CA6D02CF27FAAFDED479233E1010382DA3C725CE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558535Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:22.657{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5CA83A66C1CE55B95A6A45B3865988C,SHA256=0DA0DB4B7F77743CFF8AE399683740849863CE9AF2903C5A0D9A3BF4DE2E3FC7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464661Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:19.942{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-14526-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001464660Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:22.519{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA0AC992701F68CB6DF8ED0D36C95AC1,SHA256=9797FABF56A650E5548867566F84C95FCEAD2A30FF2E9DA82FDA4633CF8425CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464659Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:22.379{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C9313B011CC23D3C0B25ED89EDE0BEE5,SHA256=9B0D810EF3A7BED064122981B30CE71FBF8351C90E35F0F623E0A17DB21F90A2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558538Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:21.607{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-30606-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558537Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:21.200{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-24792-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001558536Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:23.657{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13226F02216F460C3DC0778D001E7508,SHA256=616780A633E3E9A1DEA3917784BD1FFDBDB31D7CF52A9AC868785880DE936F9E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464667Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:22.190{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-28792-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464666Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:22.100{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-28222-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464665Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:21.067{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-21629-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464664Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:20.962{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-20897-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001464663Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:23.582{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D254A007BDDD40153739704973AE77C,SHA256=376852DD402E0293104F9FACB67143B9A8791C04FFF0670BDB0DC7B31B7D1034,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464662Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:23.441{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B59BD2EB12AF5E7565AF1C7026DB2D6C,SHA256=B2E5B8D9DB2083ADF8BF88AB53361239BC4DB2CAEB0A77D3058C8C1AE09C6C0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558541Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:24.672{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77CF514C2597B38A3264082F6D8A230F,SHA256=2D8166AE62FBC7A676C3529232A908730FEDC264962E9388388B9B1C479E1B9C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464671Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:23.318{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-36179-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464670Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:23.249{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-35765-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001464669Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:24.645{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=991FC8018CE7FE7C9CA928FCDA4DF5FA,SHA256=4B5AC64C869576EC4DC4F214F6271049E227970AECC5A7B2B6BE5F2C752518B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464668Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:24.629{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9F9D94C3C2E0B710DAC67077330456D,SHA256=130534D1158D190C4DAF48E67439EE5E401ED61841BF0C9F1CB13A8001AC3257,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558540Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:24.172{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1667C5AAD5F916C21F1446238C6FA233,SHA256=62ED4B1EC6F04F96E3BC4E3BC4388A36D1CAC3B2A5A9C861E7DCE801AD994B0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558539Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:24.172{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=80089C4AB76438550108480451A2A460,SHA256=2613D08E544D5DAF28E4F75E9C7D9F577B51B38463FD5690E6DB45ED3AE3B747,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558542Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:25.688{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE738B684AE1F1B0D7DF10B933E78F57,SHA256=3DCAF53FE4F9E4919454C9B751ECC4F54584DADE46482E5C9A4F5AA3BE5EA478,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464675Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:24.428{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-43417-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464674Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:24.366{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-42960-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001464673Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:25.723{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CA46F7FD56790DDDCDE9EB2B29A7E482,SHA256=042550316ADCC2FF01F3540223C43289F608E9C7A573D306A163D6E696D0E116,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464672Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:25.691{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=390BEC7676B58F158CBEE12AA0CA2F63,SHA256=C117B824ABB24B3B1A9048BB2038A2A79A6EA7F6060D280F3FCA0A3A25FC8F5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464691Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:26.926{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CE08DB35F163BAC491290779900F08B7,SHA256=8B04B8EA717284F41B21D7F15E458E560AD9517FDF6C00764C346929F8C4322F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001464690Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:26.848{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-3CBE-6154-CF04-00000000FE01}3092C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464689Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:26.848{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464688Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:26.848{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464687Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:26.848{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464686Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:26.848{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464685Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:26.848{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464684Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:26.848{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464683Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:26.848{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464682Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:26.848{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464681Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:26.848{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464680Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:26.848{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-3CBE-6154-CF04-00000000FE01}3092C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001464679Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:26.848{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-3CBE-6154-CF04-00000000FE01}3092C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001464678Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:26.848{69CF5F33-3CBE-6154-CF04-00000000FE01}3092C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001464677Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:24.876{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51636-false10.0.1.12-8000- 23542300x80000000000000001464676Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:26.723{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45E9D4F93D1EDEE79DC3D5519029CFF8,SHA256=F17CCAE8ECE13FBBFDAF76DFDBEB14A1D63FF4145191AF9F8FE58EDC68B626D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558544Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:26.688{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=519FB319500B2179293D50EA91A9146A,SHA256=5DD571298A739E5BA61EA0C818CBE7AE8904F59646F68B74D9EB2873EA29E522,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558543Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:23.070{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65535- 354300x80000000000000001464707Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:25.597{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-50775-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464706Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:25.458{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-49699-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001558547Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:27.719{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3EE60049E82BB77D7757922AC6E344F,SHA256=603D869C0AD7DE7A5AC3C0FFA26353B20891D87BB115D47AB7BAC3193C9B9FA1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001464705Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:27.582{69CF5F33-3CBF-6154-D004-00000000FE01}1716664C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464704Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:27.363{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-3CBF-6154-D004-00000000FE01}1716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464703Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:27.363{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464702Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:27.363{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464701Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:27.363{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464700Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:27.363{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464699Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:27.363{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464698Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:27.363{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464697Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:27.363{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464696Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:27.363{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464695Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:27.363{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464694Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:27.363{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-3CBF-6154-D004-00000000FE01}1716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001464693Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:27.363{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-3CBF-6154-D004-00000000FE01}1716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001464692Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:27.364{69CF5F33-3CBF-6154-D004-00000000FE01}1716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001558546Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:24.487{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-44910-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558545Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:24.429{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65244-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001558549Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:28.861{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=522822CAB82212AD2C8408F3BB6A6F15,SHA256=1E0973A54E4997609F053196102F02F6CE52173C0EBD2665CB5CF3464990F021,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464710Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:28.895{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F502066923F2236FB199188EF596811,SHA256=64A1099078C196E0BA066083C38710C43059375C5CA59763D6CA8BE4C658DB6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464709Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:28.191{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C086C9C1B8F952F1D1740FE036B14F23,SHA256=6E911773096A00D08BC5FFF35078639E9A5647424CC8AC008A446E9243FD0711,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464708Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:28.191{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43E725298E895F86892EA6D941E93043,SHA256=EFF655D4A217C812273B7E2F324843CCA63BB8AF2EABBE9255BE943F746F7221,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558548Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:28.157{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1667C5AAD5F916C21F1446238C6FA233,SHA256=62ED4B1EC6F04F96E3BC4E3BC4388A36D1CAC3B2A5A9C861E7DCE801AD994B0C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464729Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:28.006{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-7118-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464728Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:27.926{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-6558-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464727Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:26.728{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-57916-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464726Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:26.663{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-57506-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001464725Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:29.941{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=042123044BEDBD59DDE31F1CCBA07F3F,SHA256=A88DD7EE49A05D1B6F80A2650D52B36F99FE44FAE78588DDEFD4FE4A566ACC5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558550Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:29.861{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C8522BF2FF484CB27B0EE1B0FBFE82F,SHA256=B9D3C9787AFB01D7EC79F318ECB99BD071096A9409F5432AD0A31E972ECEC926,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001464724Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:29.582{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-3CC1-6154-D104-00000000FE01}528C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464723Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:29.582{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464722Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:29.582{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464721Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:29.582{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464720Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:29.582{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464719Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:29.582{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464718Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:29.582{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464717Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:29.582{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464716Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:29.582{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464715Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:29.582{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464714Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:29.582{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-3CC1-6154-D104-00000000FE01}528C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001464713Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:29.582{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-3CC1-6154-D104-00000000FE01}528C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001464712Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:29.583{69CF5F33-3CC1-6154-D104-00000000FE01}528C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001464711Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:29.316{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=971AF9BB35642E843D96DC8C6D2199F6,SHA256=DEDA19A047F1B29755E5F80683121ED35A2430B40C99A042E247F99BE0AD5C08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464731Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:30.957{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4C625273913A57BEE034813D3748047,SHA256=34D9ED5B2241D72D3720FDD35F3CCCEEEB6CD4D511BEF006716DB6D6626EF6CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558552Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:30.861{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B69D3E4894203E866BF6A027229FBFF8,SHA256=ADA6B6F0189E947225A40C6693202B45E2562A792F6E4269D208DF27FD9446E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464730Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:30.441{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F865DB59D1E0DBB2FA27F1AC31976A18,SHA256=908BC583044066A22381590C4B4246AB92DDBCF14E899F1F4EC068397075246F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558551Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:30.564{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3A7C551A68BE80C1D2010151292A4AD6,SHA256=BFDD714808152526CFB49CFAAF62B0AA1031D7ACCF4C1E64AF12D752D467617A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558554Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:31.861{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50B7A24C205F19EC46D8496F575BC7B3,SHA256=A5A2274DF88DFA382BD8FF0B86D0ABCFB56EE1E6790B20FD5B930F6BBC60AE28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464735Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:31.973{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07C1D099909746B8AB32DF7B0C339347,SHA256=3A28C5E5CA9FA3A400C94E523FD0388832FE64E856CA4AEAB945ED6A978C15BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464734Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:31.520{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=69085B9D24CEAE3F01E4BF2FF586EF60,SHA256=8ACEB61D19470FA69A1D84B4534687C80FFE83C5FB343E60CB5A0553562E35E6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464733Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:29.096{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-14010-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464732Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:29.052{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-13737-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001558553Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:27.917{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-10704-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001558556Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:32.861{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C9476C3FAEDD42EBB45FE7728819CA9,SHA256=40560126EB0D4DEC09EC1D6F5813F1DE28FF32E26095463666F2C52DD395BC9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464739Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:32.988{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=394895052F6BDA40353C5781CE175848,SHA256=C43ECDD8A3545FBA0E20569564672267765E0F862678FAD8C5F5487853C9B472,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558555Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:30.430{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65245-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001464738Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:32.598{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=41EAF550024B65E2E552F86BD5CBA102,SHA256=9D472B8494F4F2E95ABF2EEF67854884EDB52FB29CC8CEA83765BBE3E33D21C5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464737Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:30.210{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-21020-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464736Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:30.163{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-20682-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001558558Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:33.861{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9ACD9D18A576F4DDA1DAE6129416E5B,SHA256=419BAC72C72521C5453F526300A6903301784E61681A704D17AB188F2D27E755,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558557Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:30.816{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-25094-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001464741Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:33.723{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9E398910AFF5359884056EF239973CF5,SHA256=1B8A932B7118AFFC4B7FE3D7431750BD5C3F904EA7A215B210D7D6EA6C1065A3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464740Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:30.767{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51637-false10.0.1.12-8000- 23542300x80000000000000001558561Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:34.861{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F88481B7FBA3CE856B5AB03FE13FA6B,SHA256=A9EE81E6BC8238AAE623EA0EB2AD564545111C0562DEDEC176145290B5429F77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464747Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:34.863{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=851190571A651CB981F8AF9B3C8216DC,SHA256=163E6FF8B8FB5B0AEB08918577B79620CB1E4AC13CF38DD7FA06A890F2994F32,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464746Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:32.366{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-34694-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464745Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:32.330{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-34360-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464744Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:31.288{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-27803-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464743Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:31.241{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-27459-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001464742Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:34.004{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BE8EDA8F914B65382ADF57D4CB1BF5A,SHA256=A747E2B90758BB4765A9332AEE0863C52116A82A5D3774731E643088A27444C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558560Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:34.471{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3A2BE520BCF9849F13470548740DF5F4,SHA256=596042CBB57C72B4BAC9E44572CA852C6CEBA2F48CAB2909E3B3BF3FFCE02077,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558559Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:34.439{5EBD8912-18AC-6154-1100-00000000FE01}444NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=BEE5197950C5A87C17B78A681176A97C,SHA256=9E3F63A815425CC86B3F6621EDA0D5CDE5896F247873DAFEB0F30E156803FCE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558562Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:35.861{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34D16E81B2BF4AAC97F684541F6AD765,SHA256=CBEA50F55E1BA076F0693D422F97EB0470670450C2766A202971DF9C7C107213,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464751Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:35.988{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4C57BBA7E5BE623630AE608665CCF9D1,SHA256=4D43C4E6C515420B45197822A3FCC3634F00D7855A026A725B670AF03075A8AA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464750Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:33.507{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-41840-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464749Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:33.493{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-41813-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001464748Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:35.020{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7193BEA00346261CAE373CBEC73CBBCC,SHA256=3B3F6C99092F038FF64BA5E0AF4104C79117EE2135825503ED452D9FBAA86A4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558564Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:36.865{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE0C73E22D8CDA89805260ABCCD84081,SHA256=238E6C78AD1CEB5D4EB17580434E10DE92300C07B3B2817E3CE25E79DDA9EA51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558563Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:36.850{5EBD8912-18B9-6154-2800-00000000FE01}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210929074147-149MD5=A9A42281E5AC80C7384A9CB787C868D0,SHA256=3FA67950307563E8508E097058F58FAD833FFA00CAA097776E12802F7A654FF7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464754Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:34.631{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-48928-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464753Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:34.603{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-48664-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001464752Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:36.051{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF2D29B275F23D0D389BEE385CBD646C,SHA256=B2CF4EA16CEAAAD16592D5D715206EFB9D1662B4580EA05D2CFED5BA5CCC2B70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558567Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:37.871{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCD5ABDC1FEE4C5ABC4F0E95A97EA78E,SHA256=0D7C87D98FE8B11815559A4F2ACBD19765156F765172522D2BD189AEFA579144,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464756Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:37.223{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D196B5F29436941B392CD396A485970A,SHA256=02DC3EBE47DF3E219910788DD0A2393C3E3D5083AC77440ED868DCE88A03EF8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464755Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:37.067{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71E83B1898B2675FF3D917704767A1C6,SHA256=E9A42AB2C14F2A60BF8ACC9DE10DF617FD3182E44BBA200B48F95D1119B101A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558566Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:37.859{5EBD8912-18B9-6154-2800-00000000FE01}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210929074145-150MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558565Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:34.797{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-50034-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001558570Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:38.875{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFA21FFE1D619CB0832BB0C1599E4D87,SHA256=8317544084F1AFB9533CAAE56367F2D0263BD66703D05AF33FC4553FC1B0C1E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464761Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:38.301{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6ACE63F3D092D1346EB580B77A03A7C7,SHA256=07BFE5D4DA1D7AEE95A829323EA9699D99EB3115D45EA0E4B31027FEA76E4D36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464760Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:38.113{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C20E407E8F05A489B8D1D082045E167C,SHA256=CCBC6B2D45F0B0C27436B723EC2D474E39522174A271F5880A4139B4950FA775,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558569Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:35.493{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65246-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001558568Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:38.484{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2CF6568C33385F4EC706C08DB373F4E1,SHA256=D0EAA41620D42987D2E840AE80A139932917F7DB3959B1123031F25F5F5D2060,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464759Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:35.891{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51638-false10.0.1.12-8000- 354300x80000000000000001464758Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:35.850{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-56513-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464757Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:35.741{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-56030-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001558571Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:39.875{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F139AF73BCDC55BFD112727FF042E38B,SHA256=A82D9073AD4AFE6A18937059F3FE1EEAECE9BA8BEDE57EC2EFAE4A9DD58173C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464764Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:39.379{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4D85DBD0F4AA5B00BBA96BC403E98678,SHA256=F3B19B62AEA76D10DA2611452DF2CE4EF95030872484174BC68521450A5CFECE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464763Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:39.113{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48F9AEB89C1540645D196B60D56E18AB,SHA256=5A8B3C5BF2EA0BA6CFD198EE619CCBFD5B2040CE077242476B17988B7C5ECC32,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464762Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:36.944{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-4776-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001558573Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:40.890{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCBF6D26DB0445BA97380A9F463D669A,SHA256=2427A3C9221C69E553AFB33A6600F5819311F38799AC8380725F7403C4F3DC60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464769Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:40.520{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=295982BF0282EC32AF42FCA423699392,SHA256=4D4B358EA9019702957C6EB8B1224E988EB3626E8AD31EC8A0B19A28D7B62444,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464768Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:40.129{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA6A3D3E8948A528A273B092D95FEE6E,SHA256=ECC231623260B09FE5AEC3E71FA557AC7060D94CCCB390A394115431CDE231E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558572Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:38.237{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-16155-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001464767Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:38.084{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-12224-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464766Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:38.022{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-11718-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464765Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:36.990{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-5082-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001558575Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:41.890{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C746FEC6ABC0E0B04ACC3E240CF0C08A,SHA256=E45850A3CEBCD90890FC8A4ABBCD4DFC7078BF612915D5554BB18ECA762D0DF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464772Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:41.614{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=66EC3265252AC9DC08C4B3EB9A1A3E2D,SHA256=C5363216DC76944F939640BB6BC9882B3C0BE3FD38C2552DA3E51E732667D8FE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464771Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:39.132{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-18676-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001464770Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:41.130{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD97EB78BAB245551766BED77C7F7456,SHA256=EA7E6E8A12BA242A0F8A41594B060B18BF6F13BD77FED2BCEAD60EE032145FA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558574Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:41.250{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A3A322228C0DEABBCE6798ECFFB2CCEA,SHA256=9A5C0481741DA2FB682A149DB967DBAEAE0898DC269B357DB5F38F5500546234,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558576Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:42.890{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3D6C718F592A8D17B2CC15A305A19E0,SHA256=C2A3294690D0CABF8B4207ABABCB53AFF1198228894995521F07E2DAF98ED1BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464804Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:42.832{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6E606F514448410064F05FC37A75342B,SHA256=AC07747DB698CEC9184F061628BD658269728EE5EB81DFC183920D6AEFA2611A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001464803Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:42.817{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-3CCE-6154-D304-00000000FE01}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464802Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:42.817{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464801Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:42.817{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464800Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:42.817{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464799Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:42.817{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464798Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:42.817{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464797Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:42.817{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464796Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:42.817{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464795Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:42.817{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464794Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:42.817{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464793Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:42.817{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-3CCE-6154-D304-00000000FE01}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001464792Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:42.817{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-3CCE-6154-D304-00000000FE01}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001464791Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:42.818{69CF5F33-3CCE-6154-D304-00000000FE01}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001464790Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:42.598{69CF5F33-3CCE-6154-D204-00000000FE01}23921244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464789Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:42.301{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-3CCE-6154-D204-00000000FE01}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464788Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:42.301{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464787Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:42.301{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464786Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:42.301{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464785Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:42.301{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464784Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:42.301{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464783Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:42.301{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464782Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:42.301{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464781Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:42.301{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464780Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:42.301{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464779Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:42.301{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-3CCE-6154-D204-00000000FE01}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001464778Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:42.301{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-3CCE-6154-D204-00000000FE01}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001464777Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:42.302{69CF5F33-3CCE-6154-D204-00000000FE01}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001464776Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:40.257{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-25928-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464775Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:40.255{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-25813-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464774Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:39.163{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-19118-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001464773Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:42.145{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80761855FEE19F67332E01C3E5316ADE,SHA256=71823B0A469A261301CFA7DF5C055CBE3EB9AFF8D4BBEE2E62A5206102BC6B41,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001464834Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:43.989{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-3CCF-6154-D504-00000000FE01}1344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464833Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:43.989{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464832Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:43.989{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464831Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:43.989{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464830Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:43.989{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464829Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:43.989{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464828Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:43.989{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464827Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:43.989{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464826Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:43.989{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464825Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:43.989{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464824Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:43.989{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-3CCF-6154-D504-00000000FE01}1344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001464823Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:43.989{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-3CCF-6154-D504-00000000FE01}1344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001464822Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:43.990{69CF5F33-3CCF-6154-D504-00000000FE01}1344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001464821Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:43.957{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E795D1F6127612DFBBB6C3193498421F,SHA256=C055647368B9665E07E7BFC65FC5B478BB5E223081F091FE6051F75CC9A8F2EA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001464820Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:43.739{69CF5F33-3CCF-6154-D404-00000000FE01}34404084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464819Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:43.489{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-3CCF-6154-D404-00000000FE01}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464818Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:43.489{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464817Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:43.489{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464816Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:43.489{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464815Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:43.489{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464814Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:43.489{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464813Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:43.489{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464812Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:43.489{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464811Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:43.489{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464810Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:43.489{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464809Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:43.489{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-3CCF-6154-D404-00000000FE01}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001464808Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:43.489{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-3CCF-6154-D404-00000000FE01}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001464807Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:43.489{69CF5F33-3CCF-6154-D404-00000000FE01}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001464806Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:43.301{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CFCBDED0DB84237CE1392217805E6FD,SHA256=EB316660D08DC0A9F3F0F9A917258DAAA61C44EEE7851A3D7FA1F465FE125ACF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558606Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:41.460{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65247-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001558605Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:40.990{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-33298-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001558604Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:43.609{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558603Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:43.609{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558602Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:43.609{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558601Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:43.609{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558600Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:43.609{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558599Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:43.609{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558598Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:43.609{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558597Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:43.609{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558596Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:43.609{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558595Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:43.609{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558594Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:43.609{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558593Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:43.609{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558592Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:43.609{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558591Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:43.609{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558590Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:43.609{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558589Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:43.609{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558588Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:43.609{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558587Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:43.609{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558586Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:43.609{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558585Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:43.609{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558584Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:43.609{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558583Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:43.609{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558582Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:43.609{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558581Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:43.609{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558580Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:43.609{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558579Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:43.609{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558578Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:43.609{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001558577Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:43.547{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8706443B9CEA11D1E9D5A9934C5C3239,SHA256=11CE4393EA7B326BF7928BC0E5710486625A54EFBCBD9F10F25F07FF8611BFB3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001464805Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:43.020{69CF5F33-3CCE-6154-D304-00000000FE01}30842396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001464837Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:44.473{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6606EB6CEAC260E5C085F843D07D173E,SHA256=D179A025E60F59F9A723B606CE09516C3FCF0B8D56DD3061EDC608ED7BF407F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558607Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:44.015{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0A1BE86166CD13B9E74FB7011820B9E,SHA256=E527F8FAC43E297BF6A074054554D727275118BB99AD786F0AF381265CC5C81B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464836Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:41.781{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51639-false10.0.1.12-8000- 354300x80000000000000001464835Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:41.429{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-33148-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001464841Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:45.473{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=761D73CDBD9A5180679BF4FCF58212F3,SHA256=E1C26A09397031C6A72095EFF604A7C6E68AF836D0C909FD1D67B95017449508,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558610Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:45.734{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7AE6C84A8F23246B175F3941F40D6374,SHA256=0E9FDF917D7B18DCA372F6CCB57B0D5805D96663757CB87F23E09C8C9E1C26DF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558609Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:43.284{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-47820-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001558608Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:45.234{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BECA6FD019F4F7B4EBDD9E0E0BF7016,SHA256=6E04546E8CE5D26B82086AEE5FC38786F3EEACE565EA169A3464A5A4ED6DF8DE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464840Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:43.678{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-47595-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464839Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:42.569{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-40271-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001464838Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:45.004{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F2B7C4A6DBAA06A242FF454779FB233D,SHA256=CAAA0E3D52478DC1D10F56E2A2679FAAAF9885F0D04220D64D425A3BD15F91BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464844Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:46.489{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=873EB4146705BDBEF1CEC5208A567C87,SHA256=DAC9CAA4AAC9C995F0DD5ECEA61586B54DCDAF4985C751004280D14112B066F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558611Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:46.250{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFF929AE7D114F2B99A5751FD7C9489B,SHA256=94E907DCAFD0AD5119E7DF42C865EF7804921868C88E7337E674F2C7C8B9770F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464843Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:46.129{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=84765597DF0CDA64DFD3B0D10B4BCBC2,SHA256=A87380AC6C0553AE0BDB4DC64A7A497417B25CEB164CF4CEAA76EB7221073325,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464842Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:44.408{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-33021-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001464847Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:47.551{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFEECD120436072DC8FE0514A263B163,SHA256=3C48495713935D493F21F1A0A13F170BACFAD87697C695479D89E6E9B2F280B1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558614Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:45.503{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-2688-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001558613Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:47.640{5EBD8912-18B9-6154-2900-00000000FE01}2960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558612Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:47.250{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFA274C1A0DD3D5819EA07783FDA1ECC,SHA256=FF57CD4EED050678CA42B38E8318D89DFB28F2FB2AFC1FEB3002AEEED65DD438,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464846Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:47.254{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=390FD1695458C69707957E629D59AD18,SHA256=F1E76C1C3BEB095998D16A5385440B119AD17A04344F25D69EFD55422A525E1B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464845Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:44.756{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-54095-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001558616Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:48.390{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F198680D8CB52D1F086DA32B9F0F7878,SHA256=3B7D6857DF9EF0673AC70B6EA9EEF2EF65FE6CA53ED1121126D6F53F1B506D92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464850Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:48.567{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AA5B773E064951B5CBB2860ACF8910E,SHA256=1D807131DE0FDE402968D59FEB7C0AB055278CBEEFDB3E124EBEE442AF950488,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464849Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:48.348{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5E8059395BD27B6D7683FA8444B017F9,SHA256=EC3D0C18310C21B77260EA7C407F0339505D841D998E671C8AA6978B26FDC88E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464848Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:45.708{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-59972-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001558615Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:48.156{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A4B0CD087239B4586C0EBAD9B93DA2D,SHA256=A7577121C7DF7584B1719BBD6CA59E7EF59996D7FE21161FDA079B9E52F9E06B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464856Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:49.582{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E65630B72B15AE4BD305E72C1FEF0077,SHA256=7F8FA6D86AC57DD98511E64996EF4216BC0F94A51766119AB3AE88A30755B67A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558619Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:47.350{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65249-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001558618Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:46.944{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65248-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001558617Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:49.398{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40826CB2BA6A7D28FBD2D8AA4956F7FC,SHA256=A2D93D9F4A6078C04225DA374471C4FDBAAEBB139AE6D7C7F6718FF58EDA6439,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464855Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:49.426{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=361D7B474E5874FDE0CB1396BAEAB4D2,SHA256=72A3B64011D0FB630C30BD2670A94C84E124C89D58FBD04288F6FCAC6C5712A9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464854Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:46.975{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-9270-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464853Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:46.907{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51640-false10.0.1.12-8000- 354300x80000000000000001464852Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:46.834{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-8286-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464851Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:45.865{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-2036-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001464875Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:50.614{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=536B77D1B6689C58B8E142BDA9AF4443,SHA256=544B1D69F46E1EA7EE9BDBD63E3CCEBD5C9EE78C94A809D93C5A25BC721D17EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558622Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:47.894{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-17743-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001558621Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:50.413{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55FFA71BBBDEC47C3C3174DCA3D31351,SHA256=4B1B52FF4F8E746A0166B0FF22995564085ED5F06EAFBCBB6272D29B09362CE1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464874Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:48.594{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-19385-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464873Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:48.556{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-19138-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464872Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:48.517{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-19017-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464871Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:48.494{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-18792-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464870Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:48.459{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-18654-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464869Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:48.436{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-18393-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464868Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:48.398{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-18239-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464867Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:48.371{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-17970-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464866Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:48.330{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-17728-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464865Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:48.293{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-17469-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464864Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:48.256{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-17298-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464863Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:48.233{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-17052-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464862Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:48.195{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-16914-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464861Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:48.172{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-16788-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464860Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:48.149{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-16529-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464859Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:48.111{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-16303-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464858Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:48.074{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-16130-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464857Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:48.023{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-15301-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001558620Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:50.382{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0EF62A64B6F53457A84F3D1C14134A14,SHA256=80822768044A4282A13B54CAA111B3DDD26467B6401BA4B263F30BC9BF3C1F0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464904Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:51.739{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D1CF57984B1BEE8C762AE592F7EF396,SHA256=F16065E21F8BBEE5EF066BDA79BF6DB0E09A8112500AE18BD5D7B0B81F8F9B84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558623Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:51.413{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=668A1199CA204B019E181CB83B59E07C,SHA256=B96BBD575B71D477629B80B8B7CBE2116036A0063B6E87F9BE00114C3059A8D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464903Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:49.874{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-27344-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464902Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:49.767{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-26837-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464901Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:49.763{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-26809-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464900Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:49.728{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-26602-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464899Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:49.724{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-26645-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464898Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:49.701{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-26399-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464897Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:49.693{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-26432-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464896Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:49.664{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-26228-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464895Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:49.640{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-26072-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464894Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:49.617{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-25919-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464893Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:49.593{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-25771-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464892Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:49.569{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-25574-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464891Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:49.546{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-25401-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464890Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:49.522{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-25227-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464889Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:49.498{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-24984-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464888Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:49.460{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-24732-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464887Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:49.425{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-24566-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464886Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:49.402{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-24320-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464885Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:49.365{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-24118-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464884Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:49.341{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-23960-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464883Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:49.318{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-23777-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464882Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:49.295{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-23559-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464881Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:49.260{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-23292-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464880Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:49.222{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-23057-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464879Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:49.185{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-22917-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464878Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:49.161{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-22650-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464877Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:48.617{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-19652-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001464876Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:51.332{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=993210FE8CFA4EF0C7EA75D983EAF9B1,SHA256=D8E6FAA9BE3A395D2A142AE47062FAFBF8C1D24A57DAA463BCD78449D5467BB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464914Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:52.832{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79AC1A3BF7D869A8C26DCBD3FD90FE64,SHA256=07ECB3A7A672C19C6396515C1D96521A7BA722B458E3FF74AC3655E3FEE031E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558625Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:52.695{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9ADBA4E8F3A29B144CA34EEEA92594BF,SHA256=1F2065F7156DB802D45ED09CD0FD519C92A8AE56CCABD2DBD9CAA9CCC356A715,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558624Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:52.632{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98D4090EB921F68A0B6EF3822AA1ED9D,SHA256=8634FF3E65E9E54E3402D0B489CE479DCAE42BAC3728E17BAC6630881464C46B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464913Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:50.161{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-29239-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464912Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:50.122{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-29048-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464911Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:50.091{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-28951-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464910Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:50.046{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-28700-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464909Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:50.011{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-28545-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464908Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:49.988{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-28210-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464907Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:49.936{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-27767-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464906Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:49.875{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-27354-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001464905Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:52.457{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=47E17AE4F3063BF5E93BCB8C50520E4A,SHA256=EB0D9ED3638954A4D4890CC66EAA447A10E7A9368C8A897E903DBE9FD82EFACC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464917Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:53.848{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=619B9469E6206370E2ACFB618C3DCE81,SHA256=A3DC461823E1950DB05809071411973E7E56265514FE98DD8CD80AB1C03EE432,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558627Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:50.128{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-31436-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001558626Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:53.679{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F21B74FFA30AA21124093A666DED6AE2,SHA256=93600A8EFA80FC567746830EF27C16C9AFF6C17A7A1C13D03A1EC8C6BF9C6EE2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464916Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:51.067{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-35137-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001464915Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:53.536{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D073C3020A1DF8E775FFBB8E0004B85F,SHA256=16A262EFC0812AAC3E275770B774CC7CD7FC6EA4976DA44A319082AA22748499,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464919Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:54.864{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76198500879CCCA8B864AF98D388039D,SHA256=268AE1B16043F8ED4DE26A8523A34FFFC499CCEF028172739A040F1B20E7B6FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558631Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:54.976{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1225F806B459170BEAFCD86B8CC0CD54,SHA256=9B5316CD395D6BBBDEF6F2594BC2E48586D2A93CBB10FF10532D54A69775958C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558630Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:52.455{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-45948-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558629Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:52.420{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65250-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001558628Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:54.741{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8ED3DC2866377C1D0AD91DCF51EA845,SHA256=078C877C996D5A8B31D0E8D6D19F580B9D74E27802AFBCFCD0603A9121FEC95F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464918Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:54.661{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9B109F386E9CEDE74C96BE066264702F,SHA256=D3A98D4F119392B28B38A69F3882DD4DE5A92FDE923703942A34DB39C058BD83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558632Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:55.929{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9B38A2E6D640B1C0B03659F2A766C9E,SHA256=2D184E8C879672F52AA7278AFC2C60D989B05412F4591C27BFE065938DF5C383,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464923Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:55.879{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48DB76DFC9AD9C25A2C710BF2B5883EE,SHA256=4E99A5CF1026CA5FDA8DBA378895F6D4E93C2E4CC6F4B51A5211ED14078DC658,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464922Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:55.770{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=279499784D318AFB9EA860DDCD633D66,SHA256=D475DC6E4F2B9A7E6381538CC971B128A43E04CE38419632FF065153213D0001,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464921Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:52.954{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51641-false10.0.1.12-8000- 354300x80000000000000001464920Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:52.178{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-42484-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001558641Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:56.929{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A2C6F362EBE6257AA8186CF4CDB4308,SHA256=6EBE812DBF70006C43BED1D8607CB7C6B596891564A11B3871FBC97CDABBC0C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464926Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:56.958{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=528ACF5D2B70B43D268008A1C8817BB3,SHA256=D0A63D5E8ADBBA14AC4C36AF9EAF13213FF687DAA7CFAD35AAC36C3C04306EFF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001558640Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:56.742{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-3CDC-6154-1005-00000000FE01}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558639Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:56.742{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558638Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:56.742{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558637Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:56.742{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558636Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:56.742{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558635Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:56.742{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-3CDC-6154-1005-00000000FE01}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001558634Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:56.742{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-3CDC-6154-1005-00000000FE01}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001558633Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:56.742{5EBD8912-3CDC-6154-1005-00000000FE01}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001464925Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:56.848{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=36C6891BBD72B677E6BF7F7475920BEB,SHA256=81CCB77C3E5E4A2ACA97B17DF457560888AB29FAB895D9AC4B3167BCE6E8E071,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464924Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:53.273{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-49310-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001464929Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:57.989{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=940566482903AD73E43393F700D67A21,SHA256=A6A4753906C18A0BCA8438317DB961E54DB7D4456D7CBBB3033A253D8B68AE8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464928Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:57.989{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF7DB9F5F9F574764A7916D3F0B23B46,SHA256=70967FAE9136A226B59187FA78CF9C311A98762C078A3EB57BFC17C1E3838790,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558662Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:55.391{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-1680-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558661Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:55.337{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse116.203.202.72static.72.202.203.116.clients.your-server.de52669-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001558660Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:57.929{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A601F84DA9566BE0DC3F8DCA0B25FBE,SHA256=A6BE0A02925F61B8E90BCBFA008B7D223E2147E7C3DE9C7A07D1B724E8AC98F6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001558659Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:57.929{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-3CDD-6154-1205-00000000FE01}1952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558658Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:57.929{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558657Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:57.929{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558656Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:57.929{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558655Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:57.929{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558654Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:57.929{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-3CDD-6154-1205-00000000FE01}1952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001558653Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:57.929{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-3CDD-6154-1205-00000000FE01}1952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001558652Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:57.930{5EBD8912-3CDD-6154-1205-00000000FE01}1952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001558651Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:57.429{5EBD8912-3CDD-6154-1105-00000000FE01}9725456C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558650Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:57.257{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-3CDD-6154-1105-00000000FE01}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558649Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:57.257{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558648Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:57.257{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558647Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:57.257{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558646Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:57.257{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558645Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:57.257{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-3CDD-6154-1105-00000000FE01}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001558644Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:57.257{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-3CDD-6154-1105-00000000FE01}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001558643Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:57.258{5EBD8912-3CDD-6154-1105-00000000FE01}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001558642Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:57.117{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=19A10F2B550EC248A637FA69F2009E41,SHA256=010B2F31FECF9146A5220397FD85F63FF03D75C383E6E6DC8072816A17A58DC7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464927Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:54.393{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-56224-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001558664Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:58.929{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C55FD9542D7225EB5583E396284446A,SHA256=DCB1BF46FA191BCA6CB82173DD73934CC1D2F5D1AAEF42BBCE18A1F4D32FEB4B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464930Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:55.500{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-4502-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001558663Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:58.492{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FBE9853B5A27DA4554C79633810A0D59,SHA256=36C146C4740395FB1B06AD914AB2D328FB93604111E4432C12731FBE6D42BCE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558665Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:59.929{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=064506A2CCBE7F814B7757F8401B0478,SHA256=07BD50A525325F318D88D2ED89FCE71005F2A4CD2900CC89E3C796386B2A7A99,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464934Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:57.733{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-18616-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464933Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:56.602{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-11554-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001464932Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:59.176{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE333A1DD1B5470DE2F343A769DF7D43,SHA256=FAABD9681BA857C4FD3BC211D3FCC4425C8C14A1EA92DACB42C8D21A63AAA134,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464931Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:59.004{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C6F842B573FB9F5E4FC412631B7CB75,SHA256=E9DA4800F2F2CF4A654B287568E472E8F80DA16E5149E8D7B69E103FDF8AEE0A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001558675Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:00.960{5EBD8912-3CE0-6154-1305-00000000FE01}59284340C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001558674Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:00.929{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70676FCE763174680E7D81C39421F3F2,SHA256=7427D7BE144D0E89BA9288BE35815B2EB2E5494A3A63D9E93DECFDEF772E3A53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464936Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:00.254{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FFD55A9FDE5A704815018ECDCFB77F29,SHA256=34CC0C715D6EA1E6E1A436F93DD94E38E0BF9BCC75B3392C008B6D1B95B9364C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464935Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:00.036{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=321B63647C3526EA7FFE66001E8BE90A,SHA256=ED49CF86AF7F18D1A9FE95769E0E75A88A169B797B68CB58E31272E3D8CE7452,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001558673Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:00.757{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-3CE0-6154-1305-00000000FE01}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558672Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:00.757{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558671Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:00.757{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558670Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:00.757{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-3CE0-6154-1305-00000000FE01}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001558669Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:00.757{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558668Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:00.757{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558667Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:00.757{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-3CE0-6154-1305-00000000FE01}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001558666Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:00.758{5EBD8912-3CE0-6154-1305-00000000FE01}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001558695Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:01.945{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-3CE1-6154-1505-00000000FE01}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558694Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:01.945{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558693Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:01.945{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558692Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:01.945{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558691Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:01.945{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558690Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:01.945{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-3CE1-6154-1505-00000000FE01}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001558689Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:01.945{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-3CE1-6154-1505-00000000FE01}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001558688Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:01.947{5EBD8912-3CE1-6154-1505-00000000FE01}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001558687Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:01.929{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=905B062FA1A837FFE2C666750684986F,SHA256=D61C8A1FC96C0659806A36BD7347BC9076B2C896DA6A5A758ABF9294EB232F7E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464940Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:58.896{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-26231-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001464939Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:58.859{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51642-false10.0.1.12-8000- 23542300x80000000000000001464938Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:01.348{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=49B503C47EC5A52A1E4721F7D257B4E8,SHA256=87BBB649E8F2149EF515655C78FF899DC9EAA8877D262B811CC6CD9932888683,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464937Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:01.051{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7B9890A0B5D2D4B8A2C92111102BD8E,SHA256=73B451FFD80C4AA60BF6031FE627180CD36D32FF6BF12BED036E168664150CE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558686Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:01.726{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=528BB116A8D1709C3087E4663C3A4162,SHA256=92237BBE3625FD7AEAB2A6D4A59C2AC0E031B8A872B100846C4E552EB2479E60,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001558685Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:01.601{5EBD8912-3CE1-6154-1405-00000000FE01}55042812C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558684Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:01.429{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-3CE1-6154-1405-00000000FE01}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558683Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:01.429{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558682Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:01.429{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558681Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:01.429{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558680Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:01.429{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558679Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:01.429{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-3CE1-6154-1405-00000000FE01}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001558678Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:01.429{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-3CE1-6154-1405-00000000FE01}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001558677Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:01.430{5EBD8912-3CE1-6154-1405-00000000FE01}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001558676Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:57.483{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65251-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001558700Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:02.929{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04BCC76D56A77904B296FF0ACE6BFFAD,SHA256=FADE3021567646AFFC8C84460F869B7B98DEDAC48D6BEF8F900B3CA5DA25ADC3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464943Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:15:59.974{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-33057-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001464942Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:02.504{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2E14EA5D49DB5E36D5C6CC7BAA7E8DFE,SHA256=28F8E2B2E5182E3C151600F28809C8C646B474C219AA0AD199731D44E70AAC7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464941Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:02.067{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AECF23E6D9DB647041D843C9B4FC8D85,SHA256=14F76D10A156C5EE8B3A57E0E96187F7E16FC2A93B975247C29CDAA4AF38EC44,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001558699Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:02.117{5EBD8912-3CE1-6154-1505-00000000FE01}44402568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001558698Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:59.998{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65252-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001558697Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:59.998{5EBD8912-18B9-6154-2700-00000000FE01}2944C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65252-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001558696Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:15:59.278{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-25925-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001558710Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:03.929{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76A1FF34C5726A6E370BC3176FFED81D,SHA256=948D5F85B8ABAEFBE7B8B7F6E4A472D0E4C1B61627916021F25DB89627150327,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464945Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:01.083{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-40211-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001464944Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:03.083{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3C5224680944BD2B4460DF5D1413FBF,SHA256=ED6EF36F0F9426FE0A564396BE6158E373F1CF59A495477428198676AC6047D2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001558709Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:03.507{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-3CE3-6154-1605-00000000FE01}4744C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558708Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:03.507{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558707Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:03.507{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558706Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:03.507{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558705Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:03.507{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558704Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:03.507{5EBD8912-18A9-6154-0500-00000000FE01}4165172C:\Windows\system32\csrss.exe{5EBD8912-3CE3-6154-1605-00000000FE01}4744C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001558703Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:03.507{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-3CE3-6154-1605-00000000FE01}4744C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001558702Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:03.508{5EBD8912-3CE3-6154-1605-00000000FE01}4744C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001558701Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:03.007{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=55D46B38A9BD50D6703CB5AD018FA8E3,SHA256=2245C930B2DB474925D9EE02F140F7F7753B86445010FAF9E3269E29CBA10CDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558712Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:04.929{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91851A3A5349C5D4B5188E54F378351A,SHA256=46041A9686E906A4D7774D83AFB31E77F939BBE4DF7CCF27040E7A7DD2039EA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464946Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:04.083{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C48F1A1C4584347DA9112713B2F18F5,SHA256=BF3FD8C7B106B9CA01F95F95662C5AB92126860D6058D6FCCE4521570AB799C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558711Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:04.742{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=828BE804F4F83FC2F97F27047684DF0E,SHA256=8A5E65EE2A15781CB86EE2CBE27605BF9724567CCFF80AFADA6F16D643F41DF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558713Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:05.929{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B7A22B776361EB27F04648EA80F7F64,SHA256=83BC9F6DB8138022558F0EAEFA7C42D25BD27B5DE70456F3ABE6DA252E521B59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464947Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:05.083{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE34AA4F9AC00DFCDED6F9D8DAF230A5,SHA256=F23001DF64D3AF90F3594B57111C0722C31F4A2032DEE3BC442E9A0542C745C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558716Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:06.929{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B577DFC9E5E17F1421EBD930F11D5C4,SHA256=62B1C56BAE13AF35C8228B5361E9BCD95896156BC3EB95BEC33B30B168C59BDD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558715Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:03.449{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-50682-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558714Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:03.405{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65253-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001464949Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:06.945{69CF5F33-189A-6154-1B00-00000000FE01}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210929074117-150MD5=0702FCA431B00B594F1E453E1BACB4E7,SHA256=E8701800C5303E9A26BD1B4295F1925FD873002633D318A1D6DD61AA6CF56A5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464948Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:06.098{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1ED6EE3FA2434CC266C16BB9C52C8865,SHA256=6EF5F93AB9CC520075643CFE428D77B4D66A48C05C35ED3AFF7990AD386BB532,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558717Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:07.148{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1534399FF92B3F43B9212A173999751F,SHA256=CCEDE6CE94B206FE3B50F6331264F64C5C819A3447DC4EB6FDACD459A854A4C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464952Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:07.960{69CF5F33-189A-6154-1B00-00000000FE01}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210929074115-151MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464951Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:04.875{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51643-false10.0.1.12-8000- 23542300x80000000000000001464950Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:07.099{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C68696390A2F2BDA289CA14776121DC0,SHA256=6FA3BF21FDC7B81FD4A8B4E1F0FDEA085E33224E651358185209735C5D6252A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558718Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:08.039{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AAD6ACBF057EC4E28297ECC27264C8E,SHA256=82D2D69425007252443E04867E17681EBB29C860274BDD9173DC3CFD40D10AD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464953Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:08.113{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEAEC42E28B83B8C3284FA47067276D7,SHA256=9678199463BBD2D69BF1C372C7B2BD7201EAD7CFE057D87BB09492BDAFAC45F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464954Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:09.117{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1BC8329FA0C6E18CC0C986A7D0A8A6D,SHA256=FD3C66BBA4AB3ED2CA4936E2398283AE0E9B85B58AFE9883B08C355E0624900F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558719Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:09.039{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F22ECDDDBAF782587CB841284742493,SHA256=6528C3999380F28B798307BF7B3E010FE02D06B73BDAF8F9CBF4DB54C83BDDB4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558721Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:07.388{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-17171-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001558720Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:10.039{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=386E66740B317727710F807E40C5ECFE,SHA256=B410D8886AAD91A77C98EDD42D07A794736113F1AEFD1BE63466B7C853DA4C20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464955Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:10.132{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37B83D33B903607F503CE3D4B8CBD166,SHA256=3D87489BD9D6C150852C6FCAB5C5BDAF9A18591BEF58698F070671A862920E88,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558724Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:08.467{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65254-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001558723Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:11.148{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DFB24CEA824425B46B771486FA04A178,SHA256=678BC37C5C13B2FE4803405B9E3F560A2F11BE1186414EF579734B5685E0C4E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558722Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:11.101{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE5A38E7569E0CAEBD5CEDAFADD34F64,SHA256=67F7B13DF57708B349BAD738579C9DB518EDE13CB4327C682C4218CDC10A4C71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464956Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:11.148{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81195199C860C5979F2C2B7D92F957FA,SHA256=ED092F40AE59C0CA2754F96136AC0AEF72653AB304B68AFD7791FCC4502A8154,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558728Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:12.492{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F0A8CA3150D815F7298681CD70AA604E,SHA256=0450F9C770CCADDCB9C1432A33F1163D38E97BC65B9F696C4EC255E009017E51,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558727Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:09.618{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-21849-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558726Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:09.543{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-21433-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001558725Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:12.133{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6486642AC8B23F937CA7E7C4B069EA52,SHA256=30F89254E63C03961A3A6CB564C833537082B30753E7DEAF74FCE1005E6C6E94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464957Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:12.164{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF48F49225CAE4611D6774A1A2356956,SHA256=230016FC3364FEC6AFC36B6589880CB549002E3134FE8F08238B58DD6BD32A0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558730Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:13.570{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5EA38DBE6E0B2CB93F4238152339D4DB,SHA256=560FC530283C95198A7C14FCFA401835DD06BBD39A0A9F4C059CA3801EF515F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558729Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:13.133{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5C65E8E401A227769EA9F3484F57C40,SHA256=2A7D43ACB9F80BDE3053547168A46A16E3CC3D5A0DC9ED10524F3B8FC5197CDF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464959Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:10.909{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51644-false10.0.1.12-8000- 23542300x80000000000000001464958Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:13.179{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FFB39A177B539FFBDCCBA005A1EC8A2,SHA256=E3A2CF571F3F8FC73EEBF588D3C50EF4B955203BA4BBC06F218CEEDCAD496CE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558735Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:14.695{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F91E1FBAFBE58F00AEABD8AC15201435,SHA256=91DD003E6223726C9F2069DD1F718B39638AA309F43B69A52E4CA9084E3504F0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558734Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:11.832{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-35743-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558733Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:10.870{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-42710-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558732Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:10.739{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-28838-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001558731Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:14.367{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72151D809EDBB7EE356961545E41E434,SHA256=FB04043886E85F28696F905AE93FC7127C7E5C84FACD8F8559B876B14B854ABA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464960Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:14.195{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D66197FF13E7A5578F64FC77EE87FB1,SHA256=433D4DB9751F4A503A028E057DA8308FB2EBBF024A132BB5E114EB0927B140BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558738Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:15.773{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D8C7756EFCE1CC5CA9DBC57696A87DE5,SHA256=C8FAA344AE2032D78B61191CB54D203E319737E88675FBC01B3B87B33F855FF5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558737Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:12.925{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-42624-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001558736Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:15.430{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=214A6D825E1920C88D94D388AD912B15,SHA256=B8E69CE25818E2C1EA555039DBEA0AF3F9BD4609E03149EEB9454E0A39BEF099,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464962Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:15.211{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F1787EB9EE9B439BD52C79CE24CC5AD,SHA256=23695A0E9E67B426ABFDDA3A6ECD4A67D8801959604C289C5561B287ABFF18F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464961Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:15.211{69CF5F33-1899-6154-1300-00000000FE01}296NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=BB84C9B232E2EB3ABF899ADA91B007C3,SHA256=716763D670797671366C5B98908F6F4596E2A9B80006335657A4541C436D088B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558742Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:16.883{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=01397144BD4CA20F4F4E51D88E019901,SHA256=5DB4DEA1BB65C2415ADD8E61E917DCF003241A0D3C627839689D6A73B9F723C6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558741Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:14.034{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-49611-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558740Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:13.738{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-56706-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001558739Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:16.492{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=642A70F97D36682F03B75E447FB7BD12,SHA256=8E91FA8854EE23EA8278EA8389F16D6509DF87B820C00A8F225505B52CEA87E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464963Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:16.226{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEA89339A86408EB7E2F4060635E3B14,SHA256=50E9411419AA3B769A8A41D66F5F38DEB109469EE491E508F0E0E16D5D116078,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558745Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:17.726{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2717F3BEFC11E1EAE9D317B1180B6C11,SHA256=51DEF2A44EB2FDD17C59D239174093447641EA9D028DE8D34A38357968303A62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464965Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:17.586{69CF5F33-189A-6154-1C00-00000000FE01}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464964Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:17.242{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C8C0F1062FD8A0F718F2CD4CDA87F1D,SHA256=95EE243C2AC233BAC75BCBFEC92F583739C15F7A8339ACE68E914EB1E8A9FFEC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558744Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:15.125{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-56266-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558743Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:14.389{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65255-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001558747Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:18.727{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51DF31EE749B15E17D69F01F5B4C5A76,SHA256=4F38D9B1932F06F8DF6B6C543A58AE7E8F756A8D9727E5BB67FC25BB71F2B017,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464966Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:18.321{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C169F8339378EC171AB8815FA8129E98,SHA256=6DDE9F49C9ED1357D0964B6E0F059FE9A7D3D4D1B824DAD2E8B824315DF1AE70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558746Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:18.008{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B2F5E8CAF1EDA43B540B055DE2A2E6A5,SHA256=AC6E693D3B7B4ABCBB2921B27695605EE4B538A4BB27AB240E47B3BD87097E2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558750Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:19.805{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A99DA7D5CD55733E8B4744B043B85AE2,SHA256=4C2AAC2429FB7B2747D7A1999C0F47E4E9B5C7F197B61EB3A9E4FCDF19149331,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464969Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:19.337{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4263F838E77EBADB4C4F12CBD93ABE23,SHA256=15AA542A0C233CD33DCCB25AE38F990F42EE3E51363C6E83FCB8667DDDB1A676,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558749Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:16.237{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-4086-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001558748Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:19.133{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C15DF92C84E1AE84BB33D7E7E1056279,SHA256=EA38AE9AF74BCA919805BA575D581758134DC15FAA0BE9AC8B7F035A76B3BA4C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464968Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:17.284{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51646-false10.0.1.12-8089- 354300x80000000000000001464967Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:16.753{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51645-false10.0.1.12-8000- 23542300x80000000000000001558754Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:20.820{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BFB1BB5F5AEA72AFCD6B13301B66E7A,SHA256=DF55F5971C570F1307710CD8BDF796B9D771BF3A992155DB9EA872CF146F1D25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464970Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:20.353{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DC22923A731E6B4124AF7A78A2E2DB7,SHA256=709176286BEF4A591B37F20F0B1709E1FFFEE3E75FB9069F7C830D7AEED7FCA4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558753Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:17.849{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-23371-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558752Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:17.362{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-11074-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001558751Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:20.258{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D7D7A6361247E52A62F4BE5D960D5102,SHA256=A4D13728B9319CA8B3AAF6D7BEBF9D4264FA9EC54A3BA733A20D87CAC9F6603F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558758Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:21.961{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F50E88C30AF646815C831056E9107DD,SHA256=47A14B585BEB58B955485FB6940D0555D7386CC6E0688D18A22983A7BD3E43AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464971Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:21.353{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC50F79AB4CB4A8C04DD66C1D90AEEA6,SHA256=319D80994009B22A7FD6ECA4CD2E8BA06894DB4E323EEB88419D1449559C7C9C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558757Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:19.483{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65256-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001558756Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:18.486{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-18160-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001558755Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:21.383{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=619A6D8C169BF8F56973DBAC674A0EA8,SHA256=42538AD54E3C4732D6D82F154907454C7076332500D3C17EF410D4516D1B2389,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558761Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:22.961{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A27C984268F38FBAC08110F20B04E426,SHA256=34AF03ACA8CA1B42260187D86FBEB0390C8532D087B08C3FA1A9ECCC7FBD1A39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464972Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:22.368{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47135C73F90536D7299F392E7BBC8986,SHA256=94AFA20A2CE6375B1288A306586957EE4484ABEEADE3CD5D1D191B12E4F268DE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558760Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:19.610{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-25049-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001558759Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:22.461{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=33822AF8048B83660BE4B049DDE2DB47,SHA256=0A3B533793AF9AB390C8B7EB4B414F9E8EE51343CD011E29D5C0B5A92135A1D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558764Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:23.961{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A58C7244FEC5AF885335875CD0DEE748,SHA256=7481FFC66128B08437CE47CBFC179463B6DF92E9E8976FF1CA774A7E5AB58171,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001464973Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:23.384{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1024DF6282FEAFA3C004910E2B6373AA,SHA256=D14E05CA28DC25FAC118201595755401124FA437885ACD39E2EB27D2DCBBFBAB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558763Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:20.722{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-31952-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001558762Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:23.586{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=99B5557C96871A111DEECCAD74E66C99,SHA256=ABA7C9CE15B534999B876AAE8FA67FF39A8CF6980941A44398F34530F390AA11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558768Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:24.961{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FE980735E18DBFDB7511C6E93C537E8,SHA256=360C6936DB3FA1813D84F1EA3A550A21ABF2BAC4ACCDEA31C1A4689DC3648AD3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001464975Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:21.895{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51647-false10.0.1.12-8000- 23542300x80000000000000001464974Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:24.399{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAACE6C64BA1C066B053177A2D44357C,SHA256=353EB028B82E3D4E399830B521C00AF5546F12E67C7E403D757DB61B4B97FBDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558767Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:24.742{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FB632E3E4B52D010D39782365A50D955,SHA256=E7690EEE8E35F174FCB0FBD81ED88FE403421D53F81EEC47FDC1271310D4CB6D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558766Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:22.022{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-49032-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558765Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:21.814{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-38413-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001558771Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:25.961{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=765B327920AD426028A69DE77A0E1711,SHA256=44FE8AFEC0E1CD6E68DAA5BC463BFCF4423EF4414B90C30860C909FF91F584FB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558770Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:22.937{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-45440-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001464976Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:25.478{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47321AEC9535D210086C3F8E18E2B63F,SHA256=8B08189A0340AA0C5F1EE87D7D6C806845E253999E924BEADC004338EBFC2C85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558769Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:25.805{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BD3BA4280436F746FA2496ABC00E1539,SHA256=E5C36E0244D8A25A963AB48B4499404C284DAE5FE94BC971EBE1D0950FB1A612,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001464990Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:26.775{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-3CFA-6154-D604-00000000FE01}1452C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464989Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:26.775{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464988Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:26.775{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464987Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:26.775{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464986Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:26.775{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464985Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:26.775{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464984Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:26.775{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464983Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:26.775{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464982Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:26.775{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464981Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:26.775{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464980Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:26.775{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-3CFA-6154-D604-00000000FE01}1452C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001464979Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:26.775{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-3CFA-6154-D604-00000000FE01}1452C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001464978Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:26.775{69CF5F33-3CFA-6154-D604-00000000FE01}1452C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001464977Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:26.524{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7192BCFA71F36E7165AF4497F50FE994,SHA256=4F11EDA2D82459EF88F235C0A998ED02979D9A098B5B341DA71F75C4C009A113,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558773Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:24.099{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-52570-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001558772Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:26.961{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=39FA33236BBA60C6EC324CB16743AC15,SHA256=B54CEDECEB12F6E7BB0888A6CF36CFC1D9788B592D598A3E0A6930015FECAEEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465007Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:27.915{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6F15E14188112A617D78751954F2EB52,SHA256=0CEAF846B7991EF4C52511A2CEAB9E2E87F52DB2DF13BACA6087D7B583DC6057,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465006Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:27.915{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF9D9CD8B96B95C598B884EBB5E8B1A9,SHA256=57CFC02D71CA17A068DDA491E1401F999DF413D2F22A7FE0E606A9E7D1C0FB3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465005Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:27.915{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B5C865F3429842A2F2396360E78BCF1,SHA256=7543460083471E5574ABC47F2D9BD7A4C171CC026D2CA7E60FDBA9CC127D5F3C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558776Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:25.436{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65257-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001558775Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:25.191{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-59294-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001558774Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:27.133{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB232D4E5BC1EE9AA5C6FB0010822041,SHA256=A4E019336D1BE859A8C63B061EB23E7BB85E1CDD7F2DC98F01E1882CCD296446,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001465004Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:27.478{69CF5F33-3CFB-6154-D704-00000000FE01}18242328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465003Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:27.275{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-3CFB-6154-D704-00000000FE01}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465002Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:27.275{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465001Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:27.275{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465000Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:27.275{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464999Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:27.275{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464998Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:27.275{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464997Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:27.275{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464996Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:27.275{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464995Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:27.275{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464994Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:27.275{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001464993Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:27.275{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-3CFB-6154-D704-00000000FE01}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001464992Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:27.275{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-3CFB-6154-D704-00000000FE01}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001464991Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:27.275{69CF5F33-3CFB-6154-D704-00000000FE01}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001465008Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:28.962{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38F5C3003963A6907E5576CDCB0DA8C6,SHA256=72A79E4698BF058D4F4793F296487BD5AFD6920CEFA1CAD3F8A2883B2CB24382,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558778Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:28.133{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F701701CAE325760533F8C532CF9C7F6,SHA256=58F6ADA53A18658B65922E0F84278FCEE869F06600C49DFE0DC27580D8BD5308,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558777Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:28.039{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8BA77B77A2AA1527F600AC6DE00C1FE7,SHA256=F79D7C5DD7D506DCC52C586B7BB9DDE6A5AED458BD2F297EA910A89B279E3CAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465023Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:29.978{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B39A386E00173A77B85D422F3BC606F,SHA256=865304F2BB95389AB73D4D39C9461FA3CB171B066C31DB7DCF53D17BC8C1F432,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558781Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:29.367{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4021CCAA0E0F238B64699FA303392A1E,SHA256=969B3D281DCAB303120BF99049DC2C993BFB5EF6FB98655B380BDB690BC1168D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001465022Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:29.603{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-3CFD-6154-D804-00000000FE01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465021Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:29.603{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465020Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:29.603{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465019Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:29.603{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465018Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:29.603{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465017Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:29.603{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-3CFD-6154-D804-00000000FE01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001465016Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:29.603{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465015Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:29.603{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465014Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:29.603{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465013Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:29.603{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465012Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:29.603{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465011Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:29.603{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-3CFD-6154-D804-00000000FE01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001465010Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:29.603{69CF5F33-3CFD-6154-D804-00000000FE01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001465009Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:27.769{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51648-false10.0.1.12-8000- 23542300x80000000000000001558780Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:29.164{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=53F3497CF920328A621A8F3D5048DC76,SHA256=F9E6D07F9645BE088541EF126FEBEE2D7192CE8BE6937515EDA536947801974F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558779Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:26.091{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-15754-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001558784Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:30.601{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D18A173B5ECE3AC7655393E8486D9270,SHA256=E3EDAF7EF4972975E58DEAAA5596C0C4BED84FE21B4801088AA068E2DB739366,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465024Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:30.696{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6F15E14188112A617D78751954F2EB52,SHA256=0CEAF846B7991EF4C52511A2CEAB9E2E87F52DB2DF13BACA6087D7B583DC6057,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558783Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:30.242{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EFBF87F02456A22102BADA32CDEEE8B2,SHA256=05147EF3B9E27C71CB8355941AE7870E05F1A34374D6E9EC485A695A35A3FE5B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558782Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:26.300{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-7099-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001558787Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:31.726{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=579937E7BD5CF701E70AEEA0D70AF8C3,SHA256=DDCC5DF183B1134885D9AE3332080BBE238C7E48446C8EF5625C12B23AD58F6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465025Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:31.025{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87200BD06B1B482F18B1556D2CD159C3,SHA256=2792570CBDA23A6AFEC06E21A7121BA95B12803AC9515F9CBAF4855F15A39A37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558786Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:31.320{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C23D1E6E2735B6707B213C4B6F17C6F7,SHA256=FB87CA46B50FF9A342486FE7DE06CDFD2C9F94D1E71288DA9DD987E81383F0EA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558785Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:27.393{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-13754-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001558791Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:32.867{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E998FA4F145CF82D7AE60E4761C2903,SHA256=3B560EEB26E19AC3A084A8C3ACABC4563E77C374DC83B691AE4A167973707474,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465026Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:32.072{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CD1CD6DCA17B855960BF4195F3FF3D8,SHA256=F9DD7F1112FF2BD338B60EAAAB29123E95200A777F16BDAA209F860D88D6E914,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558790Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:32.445{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D41DD56EAC96F67786AB6405CA277B51,SHA256=133DC0562EBF477A2D42D7407972090526CCF908A30F1E00BE7FDB755323D3DA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558789Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:29.582{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-27347-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558788Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:28.503{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-20626-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001558795Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:33.882{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1D39B9673D24C1B633B9C9A0CA91386,SHA256=0B3BAC58A9ABD3A1D2BED509349BC9066BDBAF1FE34F4BFB8A7D9D3E5EA63521,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465027Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:33.087{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F65CDF944144E40BA9DA767A60A75E7,SHA256=0FA468EC6D8E7DFD9C20F0A47AB17A28E9B8402B4C50392673B4E7510C5EA3DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558794Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:33.523{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3F5D095E0BAB8C96D1B08046735116FA,SHA256=18EC4C78351122802276C94CC42C88D38AB42312AEF75BD8112C70780BC96959,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558793Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:30.673{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-33975-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558792Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:29.685{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-42360-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001558810Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:34.882{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB0AE74E7A5CAB22A5EC3D3E02159AD1,SHA256=1CE11A63D4543382AF5EA8CD30C391BBA5035098C24637ACD210E9F20F686015,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001558809Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 10:16:34.882{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001558808Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 10:16:34.882{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x008e5d01) 13241300x80000000000000001558807Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 10:16:34.882{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b512-0xb2aac75f) 13241300x80000000000000001558806Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 10:16:34.882{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b51b-0x146f2f5f) 13241300x80000000000000001558805Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 10:16:34.882{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b523-0x7633975f) 13241300x80000000000000001558804Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 10:16:34.882{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001558803Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 10:16:34.882{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x008e5d01) 13241300x80000000000000001558802Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 10:16:34.882{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b512-0xb2aac75f) 13241300x80000000000000001558801Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 10:16:34.882{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b51b-0x146f2f5f) 13241300x80000000000000001558800Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 10:16:34.882{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b523-0x7633975f) 354300x80000000000000001465029Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:32.816{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51649-false10.0.1.12-8000- 23542300x80000000000000001465028Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:34.103{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8DD024EEE90C61D5013AABFB7C31C2D,SHA256=F5DCD5CD51EE1B4CA31A3F7CE53875BA3EDD50C907676F2FF8EFDD5338AD2049,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558799Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:34.601{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CED978B4402760668FE479A900FEFF91,SHA256=E37A6C2597D25368A95CEAD02116ED1C9C2D08A57EE4F31E23564897CF52D9EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558798Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:34.445{5EBD8912-18AC-6154-1100-00000000FE01}444NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=63BA74FF0325B9586377B9516924ADD5,SHA256=9E8EC4500CE453EAAD56019640B839846603EB416F648550963FADF0B6F7EE85,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558797Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:31.771{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-55394-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558796Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:31.358{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65258-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001558814Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:35.882{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C748C0C20746732364AD9022FA6BCC2,SHA256=F39739792FDE6B444DE9BA9ED12E5FB95F811BA3DF2273638557E6890C617FA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465030Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:35.136{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D585959D04E93688467D7E04A790F78C,SHA256=A668D4AC67E45FB8CEB36F74205F5E5BD3173E29FEAE4B9BECE023DF5F5BEAA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558813Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:35.789{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D4BE3609923A44BFF5E7B7EE4A119AF7,SHA256=4CBB1235DEEDCC61587EE37956F03EF4D95674F10F1E701B1E70BA4BB97D9912,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558812Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:32.862{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-47712-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558811Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:31.786{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-41017-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001558818Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:36.898{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD9A68A1A5A6AD149389165DAD0DF7DC,SHA256=445CC69CE188817ED569F89C8222496168C2515475C6AF5EA46B6F0A4ACB21F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465031Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:36.150{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50EFC22DCBAF930B0076CB82B508EE7E,SHA256=3B3356755CA59756B05D4CC62724CEB89A7208A2DA1F4A561BC94E805E7069C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558817Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:36.867{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5C27D979D92E948E6ACB757F471EB40D,SHA256=B6A3E41E68B0A6CD06DDE0762202CD9B7C9A8D7F0B0817F300607AA4CCFE9FFD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558816Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:33.954{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-54513-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558815Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:33.915{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-9587-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001558821Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:37.977{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=72854B9C1FD9BD6A6298D85CABD4A436,SHA256=7543FF472876C06AAD518890F65BFBBA809A67B104FCAFFC62175BE831831E3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558820Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:37.899{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7932647B6C3B01A62B647AC64F9991B0,SHA256=C595F373360E20CF8C4BFE499C14A9C7E00FB130F6D3E7258789E2FE3355F8E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465032Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:37.228{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38206E0DA1AF0AB9B05E839DDB162F18,SHA256=4AE8F64B9D2B44EF1D28EBCDA2FB3BC8338E1E0F52CB01391696BBDFBDB2C3EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558819Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:35.131{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-2830-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001558824Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:38.930{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FB913C566E2B0D5DAD984752C261D27,SHA256=E4FE3094528752AC6D546BDD07E9DDE887BA530A417E1C2C89FB77FF8458CE75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465033Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:38.243{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D606BD01786AFDF3506DECFDE2DCE74E,SHA256=6CA08A0D4DC58E7DCF15E1C494A70C02005608F74C83D56031D64E9159FB8CAC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558823Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:36.218{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-9486-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001558822Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:38.386{5EBD8912-18B9-6154-2800-00000000FE01}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210929074147-150MD5=A9A42281E5AC80C7384A9CB787C868D0,SHA256=3FA67950307563E8508E097058F58FAD833FFA00CAA097776E12802F7A654FF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558830Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:39.994{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD007801636AC5A1F0173C21939C0F7C,SHA256=A884F65A9574DAFE9F2C7E3B43B60CFF7A23D4525F3A8F62754711BBF39E1E94,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465035Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:37.926{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51650-false10.0.1.12-8000- 23542300x80000000000000001465034Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:39.290{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B25D10F44F6E2AEC299E191A48F3F5B7,SHA256=6CD26E994EED2FF0F7DC690B79D1A11AD3A5A87046746DFF4438D65B1175E6E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558829Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:37.317{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-16271-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558828Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:36.747{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-23054-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558827Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:36.561{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65259-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001558826Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:39.400{5EBD8912-18B9-6154-2800-00000000FE01}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210929074145-151MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558825Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:39.071{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5D6F80E4A6AEE708C3857599F86D0289,SHA256=7269E1DDE428770B7BBF9E87DD36333D37AEE60D2150C2BE3EA3393CB8F5E01F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465036Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:40.306{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98A82779B6565D9A8255A082D147EA27,SHA256=1266409F25ED7A5AE780FCD16C6574D42B8E6593A2E5D7A1B581A91AB9690D08,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558832Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:38.410{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-22734-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001558831Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:40.151{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F87C9B4794B116564E7B66AFF963446D,SHA256=6817F3B12A1D8F9D970BF8784E117C54E2EB312CA832331FF643D0608CBE6C2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465037Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:41.337{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC9E388954766B9CAE7EEA7A81A08B52,SHA256=CE491120B695C9A8C2E29B56CD520A0956B832842EEB655A255D4AF981D2668B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558834Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:41.260{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F8DF766E17FE5D6D4522064E0B7977BA,SHA256=7ABD9634CE56DA10BBF5BA7778DC95786A74F0D7E3555337A04643C5B363EB54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558833Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:41.026{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B70FD123D7D9B096164F560804205ED,SHA256=531C4DCDB25738879425E71EB1452CE3A13FE6737F865C5B8735687AF0BEFF8D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001465065Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:42.994{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-3D0A-6154-DA04-00000000FE01}1676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465064Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:42.994{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465063Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:42.994{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465062Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:42.994{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465061Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:42.994{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465060Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:42.994{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465059Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:42.994{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465058Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:42.994{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465057Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:42.994{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465056Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:42.994{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465055Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:42.994{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-3D0A-6154-DA04-00000000FE01}1676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001465054Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:42.994{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-3D0A-6154-DA04-00000000FE01}1676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001465053Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:42.994{69CF5F33-3D0A-6154-DA04-00000000FE01}1676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001465052Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:42.525{69CF5F33-3D0A-6154-D904-00000000FE01}23964004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001465051Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:42.369{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AF37B3BCC78DC6F6D78E32FF8F60B81,SHA256=E93010E3E63CDAC96DCFEF642197C87F05F8EBE859C756FF8C9C7B951EEEC157,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558838Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:40.210{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-49021-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558837Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:39.490{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-29485-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001558836Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:42.338{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E315386296714291443CA2DA38C96463,SHA256=9C8102FEC8637E47C429B0EC151856EFC6CD8B2EFA951468D5F3EC170AEF97C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558835Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:42.026{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7C0885A563087F52D25E9FBBE1FEF86,SHA256=92BFD262328E91E3672C85557122CDB5E6B2035CFC6EA3D6C9C481BB1270D44F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001465050Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:42.322{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-3D0A-6154-D904-00000000FE01}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465049Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:42.322{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465048Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:42.322{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465047Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:42.322{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465046Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:42.322{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465045Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:42.322{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465044Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:42.322{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465043Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:42.322{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465042Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:42.322{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465041Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:42.322{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465040Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:42.322{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-3D0A-6154-D904-00000000FE01}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001465039Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:42.322{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-3D0A-6154-D904-00000000FE01}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001465038Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:42.322{69CF5F33-3D0A-6154-D904-00000000FE01}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001465083Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:43.869{69CF5F33-3D0B-6154-DB04-00000000FE01}3472712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465082Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:43.665{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-3D0B-6154-DB04-00000000FE01}3472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465081Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:43.665{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465080Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:43.665{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465079Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:43.665{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465078Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:43.665{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465077Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:43.665{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465076Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:43.665{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465075Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:43.665{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465074Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:43.665{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465073Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:43.665{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465072Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:43.665{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-3D0B-6154-DB04-00000000FE01}3472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001465071Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:43.665{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-3D0B-6154-DB04-00000000FE01}3472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001465070Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:43.666{69CF5F33-3D0B-6154-DB04-00000000FE01}3472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001465069Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:43.447{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E32DB2E23D83635982E941C279309C9,SHA256=3E8E58E01EC3D65F5D500457BD467624DCE5CDE37E471B9E8C6DD28F267D658C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558842Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:41.715{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-43050-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558841Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:40.599{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-36300-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001558840Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:43.526{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BB37AE3952B92F6A4D43D40498A8D90B,SHA256=3C50C9488F0FAA463BD44383C2359785499E9171E718D6A5FA761B7B5C4D143D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558839Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:43.026{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DFFC576CC768CFE90A335DF29C66C37,SHA256=C91898475D16352356FAEB0DC0A859453B390E47E818924C4ECACDA649AA3F86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465068Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:43.337{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FCFDD4038655FD7F7F67B02B3A688BD4,SHA256=0FC9DB869A023786CF2571C1A0BCBDDB1F7C4B35B0B56E3B32EB1533822D5EEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465067Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:43.337{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=57BE8C9D3BB2EA459D8A4801AB754222,SHA256=B2C6710F04BFCEADE7A55E2B64392E8BC256004B758321A279D4D56B2ADACEB1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001465066Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:43.150{69CF5F33-3D0A-6154-DA04-00000000FE01}16763340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001465099Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:42.941{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51651-false10.0.1.12-8000- 23542300x80000000000000001465098Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:44.697{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FCFDD4038655FD7F7F67B02B3A688BD4,SHA256=0FC9DB869A023786CF2571C1A0BCBDDB1F7C4B35B0B56E3B32EB1533822D5EEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465097Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:44.603{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8BF0994C595609A6969E561315DC4F6,SHA256=7B11261A72B9CF25258906E72519F8A5253A582B5B8A182B707F4A40CC175243,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558846Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:42.439{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65260-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001558845Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:42.252{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-2872-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001558844Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:44.620{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2429883E77C8B8345DDBB4887B1B05AF,SHA256=CC59970B603DE3473CA77A07EF511346BF5783D1FFFFD0F6962C51872A182752,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558843Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:44.026{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=537A05E582F0381AE87222B0E56E5040,SHA256=07B91ED12088F5E4182C636C8A0FA76E88ADE4370F55E2F4B4A81AD04188B3A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001465096Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:44.165{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-3D0C-6154-DC04-00000000FE01}2676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465095Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:44.165{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465094Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:44.165{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465093Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:44.165{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465092Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:44.165{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465091Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:44.165{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465090Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:44.165{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465089Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:44.165{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465088Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:44.165{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-3D0C-6154-DC04-00000000FE01}2676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001465087Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:44.165{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465086Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:44.165{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465085Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:44.165{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-3D0C-6154-DC04-00000000FE01}2676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001465084Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:44.166{69CF5F33-3D0C-6154-DC04-00000000FE01}2676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001465100Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:45.759{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4244EEB2DCE84F4E3F66211F0E256F84,SHA256=4CA42C8E57760BA2D3E3BEE8EBD3A6F8A43150363C872EE4A8E6BA62DB172CF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558848Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:45.698{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=70A2793AED14833F97B5C5B7690690B5,SHA256=2AF26FDE42F4ECD6321AC2C46EAF9983B3A3794E70708D1FCE1C0C5D6165E894,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558847Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:45.026{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C71E941A5061B9648B741BFFA900D05F,SHA256=41EF3988630F58155D1895AC639D5A1669EDD78A8F497B85851B308806AF0DCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465101Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:46.775{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB7F85566AE5D2D36F63B59BC67E9206,SHA256=8646F1A212520E03982DB217837102AD6001503D8A185B6BC08C4D88BDA23EE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558852Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:46.776{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=80FE6BD8FB57B30F9743CA1703A1AC88,SHA256=900D53D3BF592654B88C94A934EEE46647733D082F75451FEAB051BBF0559483,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558851Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:46.245{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AD18FBD812BF1E1F90D36EE715AC2D4,SHA256=0D969D875DCD9C7702A0141A0D7E615742E4DE15DCAEF5E4A0BA14B9812872AB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558850Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:43.958{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-57017-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558849Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:42.865{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-50339-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001465102Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:47.790{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E993C5F948FB795BAF7BD9AED298592,SHA256=8124C33AC3C6AA0C474FD7E46B8BCCDEBB0BF37FD46A70B56ACE20C80B747499,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558857Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:47.901{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=212776E44F17E0B4B849CB4CE278CBD9,SHA256=48BE0C0182738F13600F082665AC38A7CFE0524D027E3DC2392BCF057929F95F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558856Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:45.049{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-15706-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558855Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:45.037{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-4854-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001558854Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:47.651{5EBD8912-18B9-6154-2900-00000000FE01}2960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558853Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:47.245{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15A97DFDE2DFAAFF72210976A7DE2105,SHA256=5262D698C2B3EF16746684E9442E191CC522BB1D0AA30DEB1056ED1BD1D74919,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465103Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:48.806{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFC38024312CDB0D639AC5895D5020FE,SHA256=6648FE65DE7F957F40C2F208DA158D925612B93CC180A2821C4DBF0871EEE15E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558860Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:46.970{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65261-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x80000000000000001558859Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:46.128{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-11490-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001558858Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:48.245{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6DBE4E79AF47841F1DFF5DAC0FE8A3A,SHA256=03BCA0D689FD912D825099D6C9A1E436D472A7ADE13FDAFA8BD518ED939EB21E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465104Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:49.853{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AB00B344545BC387B425BC95296AB05,SHA256=2F6C1CD6A36B1A4AFA18FEE74BA1644007DB553B4215CC4A001FC861E401E5A9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558863Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:47.253{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-18267-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001558862Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:49.259{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66636FBBB0DCF1F924C1436EB611F663,SHA256=55394590A04912CE3D359FF6AD81F55BBF8BE4ABC460BB8561F2F621872AD3D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558861Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:49.025{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BB8130FFEBB01092C9CAA200FFC94C99,SHA256=6F26853B7B727D7A380BE1B803DE67DF5EA7B260C861196E60339D0D4B770762,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465105Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:50.884{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=258242C501E3A1795059402C18C752BA,SHA256=2833414481DE8C66A5C313971D9B80150F91033E10A163229F75782FB05210D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558868Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:48.415{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-40979-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558867Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:48.365{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-25180-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558866Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:48.360{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65262-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001558865Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:50.259{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C5B0E631756563D2BDAB767CC25048F,SHA256=CDE92D5EADB85FBFCADC297E1DE1A69DCA32A0B27F73925919985C8B37F39E7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558864Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:50.103{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F8FD091CFA1782E2B06AC84A29AC92C6,SHA256=07FBCF42BBCCD238FEE829B2894E333E9E5BE5966958B5770840A176F1CB1A9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465106Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:51.900{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8312D4B3D318CB05FE1A12D0A243E880,SHA256=5D701D6F51168345787C23648B06C68C80FED309EAF6F0E3DF93DA1B531CFEE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558870Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:51.259{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48EA697D05D2D9B0DB8F3B446F38A9A9,SHA256=A25FE6088F81D08E8D1776F46EC9162A915F125854AA588C346237F77BB6C8F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558869Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:51.181{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=767F5E9BF3A6A17E945701F37EAB7E61,SHA256=9CA7A47C52A69B8359D8BAAFFC2DB4C09F41A124D4D8B543306C1CDDF89C56F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465108Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:52.916{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B69A97AB1B048E718F5CADF7E003BC12,SHA256=F57143A5D25557869E34B68E3C2CB0DAE8EF3D347FA403E847A2BFAC2F530E88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558872Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:52.306{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=586202E0CD14F415072B9E131C520FB2,SHA256=EBE65CE46608EBD9FA9F69A09EEC6942C963ABE6B14A8233AC39406C2A463C10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558871Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:52.259{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9FB08093EFF990D2DDE7608FF9FA0C5,SHA256=033B1CDB98672267D124F225923767A2E0BBA211642A89300508392015BF1D05,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465107Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:48.897{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51652-false10.0.1.12-8000- 23542300x80000000000000001465109Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:53.916{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D5614EAB9AF7E7027CD56E5A5187770,SHA256=E2B8AE6358973DFE2B93D53F5A40334C303FCA55D847E137EA641BFC99A972D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558877Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:53.431{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=45FC09CDA88CB7498D7A955A05CA0307,SHA256=DE80511D711D132D57DD9DEEEB412630CB6932A2447CE516486DBD812C15131F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558876Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:53.259{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D0CD218543606EDD166FEBB8A88F15A,SHA256=D50F765E21DDEEDF6CF5B4472AFE9A66409330BD516538E13FA800D6C8A3CDBA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558875Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:50.561{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-54257-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558874Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:50.535{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-38343-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558873Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:49.442{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-31692-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001465110Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:54.931{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E20305E72483B3EE16483B38551F357E,SHA256=0405C279A56EDBD57EFEF64AA79DF7673852B1954E4B6370E8D6AD2FC90D0FF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558880Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:54.556{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=95B2CCBB7974BF49DCAF43E3606835B9,SHA256=57EA64C4EE542A50EB6D30C71DB95ABE9326C45D00BA51B4890E510F8F893FA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558879Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:54.275{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F790A1A42A98345DD5E11E1C6735522,SHA256=3905C2CF09C984074E4CEA464500C5B2972AE704B1E140CB4996842696FF5886,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558878Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:51.661{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-45213-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001465111Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:55.978{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F30478F38F793811E7C1CDB8EED90FB,SHA256=66B077DD39ACE5D6E531BF4CB025131DADC64F5E1EB37A248C8D823183D16443,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558882Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:55.634{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4F184D5D910A142452385082E30539C7,SHA256=8D59FD8DE125E1161BF6C560F4FB412D6979CF76A657ED0A6A6EE426BAC6B5A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558881Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:55.291{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7C008529759CEFF68F93243ABE3F336,SHA256=507CDA0A6FAA517DB873FD47769176155C4156FF157B3A346E024C9C3F0BE288,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001558896Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:56.978{5EBD8912-3D18-6154-1705-00000000FE01}10524384C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558895Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:56.759{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-3D18-6154-1705-00000000FE01}1052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001558894Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:56.759{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1DEE275F653E521337D87DDEBFAB6C17,SHA256=D5BB9BA37DDCFBBD152FBAE448F5DC5D7386BB8C7EDAA4E1D20933D155332212,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001558893Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:56.759{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558892Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:56.759{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558891Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:56.759{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558890Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:56.759{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558889Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:56.759{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-3D18-6154-1705-00000000FE01}1052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001558888Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:56.759{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-3D18-6154-1705-00000000FE01}1052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001558887Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:56.760{5EBD8912-3D18-6154-1705-00000000FE01}1052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001558886Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:56.291{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37EC0AF8DFD6F517914F22CFB513804E,SHA256=6A87DA81B1EB49F6A8B0FFA275425AE16109B376C287182D49C0AE62E69A2023,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465112Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:54.832{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51653-false10.0.1.12-8000- 354300x80000000000000001558885Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:53.547{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65263-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001558884Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:53.292{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-8580-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558883Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:52.786{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-52110-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001465113Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:57.025{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E7E8535A4440DC9A15746629DAC3352,SHA256=A1CD9BB030CD6D428F1F487BAA40ABCA8F768F88564AF27ACE00FAB09608BCF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558915Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:57.853{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1538402DD32B8D822B9BCB6B7C01A331,SHA256=99B94E216A4B97589F139505E36CCE40764DEDB2D9F57F06FF1E35EE6A6EC0A4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001558914Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:57.759{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-3D19-6154-1905-00000000FE01}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558913Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:57.759{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558912Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:57.759{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558911Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:57.759{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558910Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:57.759{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558909Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:57.759{5EBD8912-18A9-6154-0500-00000000FE01}4165172C:\Windows\system32\csrss.exe{5EBD8912-3D19-6154-1905-00000000FE01}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001558908Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:57.759{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-3D19-6154-1905-00000000FE01}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001558907Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:57.760{5EBD8912-3D19-6154-1905-00000000FE01}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001558906Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:57.322{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EBE61E55A60E6B35816772378892134,SHA256=614F3831010195B945026195609C7DEC8AB4CAB5E45724D62CAF7B8F7F2B5FBE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001558905Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:57.259{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-3D19-6154-1805-00000000FE01}6036C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558904Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:57.259{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558903Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:57.259{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558902Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:57.259{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558901Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:57.259{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558900Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:57.259{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-3D19-6154-1805-00000000FE01}6036C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001558899Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:57.259{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-3D19-6154-1805-00000000FE01}6036C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001558898Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:57.260{5EBD8912-3D19-6154-1805-00000000FE01}6036C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001558897Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:53.895{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-59090-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001558918Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:58.322{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03A93B0359A22A8524B08F42D7636847,SHA256=51C44807B62EDA68CED85BADE0D8E868A9175453B37FA02103AAD0BAF2EF39A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465114Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:58.041{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=691ACA13C82C8B4851FDEE24F7307228,SHA256=467438421A1E6059708A5C8AF60A73DB8A6CAB1AFD1FCDCBB07D8FCA1F85279A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558917Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:56.118{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-13570-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558916Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:54.986{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-6865-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001558921Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:59.338{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=864F90E2FB17874C57A0DA1BBB957BAF,SHA256=046CF6B48005F2BBD97329541242FE9C4D79D78AF111EC0942D7D2F459701628,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465115Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:16:59.072{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66B70843BBCC3CEF51394DA22DFDF0EB,SHA256=8E8E9895E29703134648046A28F3B8D101D9A2E3280771672C87A579E86D3718,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558920Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:57.288{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-20795-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001558919Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:59.009{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6768AE73D9D43825CC31992D499C7FD6,SHA256=ED36E6502B8C4459C707E856F80504CCB3FF4F7FFDB65E89F53802878749BED4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001558933Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:00.947{5EBD8912-3D1C-6154-1A05-00000000FE01}29202668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558932Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:00.759{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-3D1C-6154-1A05-00000000FE01}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558931Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:00.759{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558930Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:00.759{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558929Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:00.759{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558928Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:00.759{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558927Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:00.759{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-3D1C-6154-1A05-00000000FE01}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001558926Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:00.759{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-3D1C-6154-1A05-00000000FE01}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001558925Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:00.760{5EBD8912-3D1C-6154-1A05-00000000FE01}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001558924Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:00.338{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8815B3AEE400DAC46977D797E4D51CB4,SHA256=E613403CFAEFC709DB051DA69E4673286E385A64795B12FD6B28864620D35992,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465116Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:00.088{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B744DA00B39B60DF1DED8E7998EEB9DB,SHA256=5E589E2EDFF1549605162F2C3BBF541B2B9F565DEA5A62D74F73A9E4119F0A95,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558923Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:57.332{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-33511-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001558922Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:00.166{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7339359BA34B3A5294E8D2086A9E26CE,SHA256=04B88AEDCFC0BBF9581447E76082C455142D1F65E8C325CCACEA44BA8C8FF36F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001558952Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:01.931{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-3D1D-6154-1C05-00000000FE01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558951Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:01.931{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558950Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:01.931{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558949Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:01.931{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558948Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:01.931{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558947Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:01.931{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-3D1D-6154-1C05-00000000FE01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001558946Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:01.931{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-3D1D-6154-1C05-00000000FE01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001558945Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:01.933{5EBD8912-3D1D-6154-1C05-00000000FE01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001558944Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:01.697{5EBD8912-3D1D-6154-1B05-00000000FE01}41681892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558943Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:01.431{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-3D1D-6154-1B05-00000000FE01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558942Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:01.431{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558941Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:01.431{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558940Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:01.431{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558939Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:01.431{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-3D1D-6154-1B05-00000000FE01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001558938Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:01.431{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558937Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:01.431{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-3D1D-6154-1B05-00000000FE01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001558936Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:01.432{5EBD8912-3D1D-6154-1B05-00000000FE01}4168C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001558935Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:01.338{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAA2F2465A4C25EA200A336E4E6F4757,SHA256=C7A1214E3ED260C212908D03E6FFE0863BD74BC699028B8269336BF8121A609F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465117Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:01.103{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8390254883FD0ACD0CFA8664C50DBF1,SHA256=F654F264F68385EC39C2486465763CB2BC47192EC11088D226E03C6F5CE201FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558934Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:01.306{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A0EB26346D242EDC32CA0984FF6D6CB,SHA256=21E15C957976D05960A93C64879F649EBA145499A386D53F5DD21356E6D21CBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558960Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:02.806{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3C876E1F79E96A7B57377B6B04447046,SHA256=71A7B9E3B9ADE2129DDD76FF98AFD6F6159198327606871F07F05B13DA6324C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558959Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:02.338{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61FAECBD29B02997F4F7A2AEF2FBC6CF,SHA256=D0CB220328486721FBD49C0D0FD15316CD6BA13210F8266F52711E05620F6B12,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465119Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:00.723{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51654-false10.0.1.12-8000- 23542300x80000000000000001465118Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:02.119{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D79C7E98E0C6C31E92B6641FE2B5315,SHA256=C9FDF4545B8F628515434406B7ACF3F239BA5967D3F9B72C32AFC3B77FDFEE81,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558958Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:00.000{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65265-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001558957Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:00.000{5EBD8912-18B9-6154-2700-00000000FE01}2944C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65265-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001558956Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:59.536{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-34317-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558955Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:59.485{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65264-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001558954Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:16:58.414{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-27278-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001558953Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:02.150{5EBD8912-3D1D-6154-1C05-00000000FE01}5608860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001558972Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:01.428{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-59238-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558971Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:00.647{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-41133-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001558970Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:03.525{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=615305E5876738A04AA8C93F90421FE4,SHA256=0D19A6B2130D78127239CD4DE9E9ED9AD9809656103537EB337013D9E869161D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001558969Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:03.431{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-3D1F-6154-1D05-00000000FE01}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558968Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:03.431{5EBD8912-18A9-6154-0500-00000000FE01}4165172C:\Windows\system32\csrss.exe{5EBD8912-3D1F-6154-1D05-00000000FE01}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001558967Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:03.431{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558966Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:03.431{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558965Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:03.431{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558964Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:03.431{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001558963Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:03.431{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-3D1F-6154-1D05-00000000FE01}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001558962Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:03.432{5EBD8912-3D1F-6154-1D05-00000000FE01}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001558961Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:03.353{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0E55C9F1EA69F5F141ED7CEDB568957,SHA256=215FCF65788267CD4D1B3903EE40BC63E50E85F0AE5933F33FA7BCF5F6782E2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465120Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:03.119{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F663C37954B2DE6461992F7A4206233E,SHA256=8421A752786AB6801E073CB2C8A2B1A2F0DB4A3414472CFF96B7E7E01C125701,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558975Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:04.666{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F09D7D66FC80C7400CBE1FEFE0BDF671,SHA256=5DB6F4937C41554DF83D3D21DC9B5A3B961F9B4856330AA29460026E82A4AF3E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558974Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:01.754{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-47733-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001558973Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:04.369{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FC6572E68F7B91BA944AE8E706D4F2D,SHA256=EEFE6A6DF11E7904895CFCF344C8F9AD0E15A437F6F40B472C8E6338F5D46F06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465121Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:04.134{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30FA7A3DC196E0390F0FECA20CE411EF,SHA256=16FB3708E3242918482DC343EA3491FDD92FDEF6797B0EB9911B4A76153856C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465122Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:05.166{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=536CDA37DBEA5CE3474AF2FB40E74CC0,SHA256=E24FEFE3C750DBEADC46C3C4F87C88825A920111EF9C3644DE67D1FAA2FBF841,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558978Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:05.775{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=23F8FDB27CBBE1414AA242B56CB07178,SHA256=F3AD0210507442D9C94A11E2BE8D3742175C69A4E5B5C8AE3321DF5351A4DBBC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558977Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:02.877{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-54507-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001558976Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:05.385{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5070CFFAB94D058CE86864B8D8A06E7E,SHA256=6ADD76AAE3D3DB32D84AC8951C44CEDA1C291A6CAF3BEFDA0BFD12AC921F9EFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558980Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:06.853{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=41A6DCA9A76855ED211B02BA31258DC0,SHA256=D4E8F17A1A5EB63C2E72805C716BE4EF7D92DC98698327BC9FA1AD5AD141CE22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558979Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:06.400{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD228C881342FBC6E28A1286C71279F0,SHA256=6BCCC8D230406743D5D6C00BE540266ED250233790C218B5455335CD49792150,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465123Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:06.181{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C62B1A0F7BE4E2CA720710EB8BBD4988,SHA256=62047CD665008D26665B2127009B212AF554CDF5A0F674B64FF69492AF93847C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465125Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:05.925{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51655-false10.0.1.12-8000- 23542300x80000000000000001465124Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:07.213{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=116C30AD361E6E1EA19E2A27552EE313,SHA256=FF4B053A451151D31CE2E4FFA938773EEC4784DA33F9B93DB90928C73ED92C54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558983Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:07.978{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3916F6F8F1DBC4214D4B258729AD45DE,SHA256=44ED368B611B50354881B5960B2C81924DFA4F7CE33AA23FAFAB95D2EE678E70,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558982Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:03.992{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-2378-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001558981Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:07.400{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91FF3F7480C3ADC93AFFC5819934270D,SHA256=9D67A856DAF7E804F2599109675ED99B5A8E94BD203DF234F342ED874D4C6080,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465127Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:08.481{69CF5F33-189A-6154-1B00-00000000FE01}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210929074117-151MD5=0702FCA431B00B594F1E453E1BACB4E7,SHA256=E8701800C5303E9A26BD1B4295F1925FD873002633D318A1D6DD61AA6CF56A5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465126Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:08.228{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD6951A5ADC207800F15BC345DBF20BF,SHA256=E39708EECE116D2E9F48322F28F7EA6D58CB082B224ED2316390C17C2BD914D6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558988Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:06.230{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-15924-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558987Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:05.407{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65266-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001558986Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:05.374{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-25006-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558985Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:05.115{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-9327-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001558984Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:08.400{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBF59303160AB8A36C753724BA0E1ED3,SHA256=4B6331F290C8FA91B897737F3BA71ED575D7D3BD4D73BF58171659D4BC85D505,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465129Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:09.480{69CF5F33-189A-6154-1B00-00000000FE01}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210929074115-152MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465128Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:09.245{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78B0CC32520256F98B0818DC9A501271,SHA256=B0FED3CF7986B9FF69A7B4BF244A17BB683A743DBABEA889959BDE69A6453255,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558990Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:09.405{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2CB774C5BF017EE9AAD6F8E3A59E424,SHA256=2F38683E9E850585070D05673A02F68921B4C4B4DD1B6FA40F1E17760AA9C3E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558989Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:09.061{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F3160E53561FD275D5FDB305E0834D2B,SHA256=1549BC7D32522A2D15C81344A830045B444E98C352BFFE59E782D80DD1A8B97D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465130Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:10.277{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F44A5A8B0F494223E29AC2B23EBD18EA,SHA256=9037C969500B50EAD6CDBC9803F62B5E21BE7C15961AADC054580EF1FCB45BC6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001558995Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:08.705{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-49300-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558994Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:08.415{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-29288-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001558993Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:07.317{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-22789-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001558992Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:10.406{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EC3ED62CF5BDD62CD6F6822384885C1,SHA256=ED27F77BF56808AF597BA7082932BA2CBA76D29977FCF272E46DCA2975156A0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558991Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:10.186{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E5FE06A23AFB159CA095D7890840454F,SHA256=752DDDFCB26EE85701F828B032F6186C8AC62058DC2E971A05B5920AF1EB191D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558997Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:11.436{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6060E0A09591A239EE55D88ADB58BB0,SHA256=1BF184FD96AC5A690425EE0BDB4CBC7ED33B2E3DD893314F9DF414F943296C3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465131Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:11.324{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F351C2D50739577D888A59ABC5EECDB,SHA256=FCF1C7C19E03C99989FB9C2F9FD7048EB6AFAEF9FF2799B29E8069ED23BAB27E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558996Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:11.202{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C89A27C7A4E5A9CDFC8AF4767EEADB8F,SHA256=554CCD1CF5F69AC0C287874A0573F156AC4099CBE27614FD106C2D16F21110A6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559001Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:10.474{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65267-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001559000Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:09.525{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-36215-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001558999Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:12.452{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F999ED2B705244B6E9A9EF0ACF94AB72,SHA256=82FF438E3839F70F7F4625675098D6D6BFD6D8D5068F6C3F2C3951FE8589C1E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465132Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:12.355{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D8E8F02939BF98A387EDE1EAC5898A0,SHA256=B9289A4AF123F68697A79ED0F0E5EF0B2A5647BF271379C7CC577FECF9616E8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001558998Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:12.389{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7F6940F28D704E0F4530B5BF6E2217EC,SHA256=3A95B340C7FEA6E642BEB8C0F7D3FB97D9134F48F2BB9DB2DFF06777C811E213,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559005Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:11.660{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-4976-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559004Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:10.618{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-42703-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001559003Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:13.514{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=74750E14038A73FF6A889FC846C5A2A3,SHA256=4B5F1F71550A05E9968077D494C1F20A4BBB51CD6860FA32938F2840C7BE389B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559002Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:13.467{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA3677793063EC82E7804690EBEA5120,SHA256=58AED16E6D95D0548FA04567A564F1C91D662CF39C29FA1804BFE937B42B2404,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465133Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:13.418{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61F1D4AE92ACFC60C3A61160A1194FA3,SHA256=AA368C3580A74D502390B4DF2F49508A7F609A4ECD8CF8A1CBB243D1F693989D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465135Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:14.480{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C8318F408F52A990404812026329F40,SHA256=6C8D8E1C807F60133957F47C6FBF6737FD7FB06CE35B5E2D1093FBFE5C1529CE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559009Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:12.866{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-56582-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559008Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:11.743{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-49597-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001559007Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:14.639{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C055A07231D6A37762776D0DA824E369,SHA256=4089A407393A8CFA7628A4A65952B273CD2CCE8B4BB1C7B903B60120E045C03A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559006Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:14.468{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ABEA7EDABC02C9C3A5377C72D3F6D2C,SHA256=BF1DDAB0037706BB097B4EA4DAE9C118DC59E525A9E0C0A37B2D5AE43D7A4137,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465134Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:11.911{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51656-false10.0.1.12-8000- 23542300x80000000000000001465137Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:15.496{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3C63A7D9CFFC623AD63518A8E35E833,SHA256=D68395A75529E760EDE2EE83F132C7D661CD56267EE21C952265C7D10906A91E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559011Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:15.749{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=935C8466AFCFA8AACFAB4C4A56028A01,SHA256=846D3FF741CDACCAC767D2AC72FBC893AF9009FA0548FE71C8F3A6E7D9F8BDF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559010Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:15.483{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBCEFCACB8D7BF963BE23B46746ED7AA,SHA256=D28D7441F0159FEA94C1D2E0557A9EFB3D47805646632157F2116FE4AAFA1C5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465136Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:15.214{69CF5F33-1899-6154-1300-00000000FE01}296NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=B8F4CE384A936489F8CA18305B741C03,SHA256=9C856F155964FBCF62D39E11FA7E953A5058C1200E74E284C8F302526D9B0CBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465138Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:16.511{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D972F37A1D410B2192204E572B6B97DD,SHA256=136D8D651A7DAE0D4F6BC7BA56EA1C7ECB77D3E7D6A46A0B95C12C5D509D1480,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559014Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:16.843{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2DB792CE0DBF480A1FD00BFDF4FD9F6E,SHA256=F4F78F21D22CB4B88E90B783BC281A87D495340EC88FEAF28875DFA8B9221A35,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559013Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:13.991{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-4800-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001559012Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:16.499{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8E7062F52A7C6BB85CB70E8708E4D37,SHA256=7C6E161BA80A025226C402BD3492B25E66E6FB55627143D9544745FEF1215BF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465140Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:17.605{69CF5F33-189A-6154-1C00-00000000FE01}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465139Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:17.527{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4721FDAB33AF8F31391DD00226330495,SHA256=B2951C3DE9992DAB4E63C81F515B26162C5B603B1B8AD7D21672953448C1158C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559018Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:17.968{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=63BC6450514ACFEB8B379C4F859B3106,SHA256=1148DD4E18F4B5E03985603A270B7B5725EC17AF4EE6DE884EB4C1964DE68AEE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559017Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:15.640{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-29848-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559016Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:15.104{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-11707-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001559015Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:17.499{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E70E58F9F1769460565979639B549A2,SHA256=4F0B6B627229EDA8E78D12B3A8F019750695899D0F8B778BE24ACFB05EEEB9E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465141Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:18.543{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5314D0E443A5A22B4DCE95F223D012B0,SHA256=1F5A09AEE4F17B9791DC09E67456A8F13F9719DC813E09161390C4C8F8B329B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559021Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:16.459{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65268-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001559020Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:16.198{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-18383-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001559019Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:18.499{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4B71D857081DE450B45AB065F780282,SHA256=314A2C588AC06BD5544D1644763532FBBEBC06C78EB7A867ADA44FD73F8CFF93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465143Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:19.574{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86E43DC90134346EC3128A249B094B33,SHA256=BF7351B3AFF43E93108A6B78D6C0192CBC6CF87E1793C04D3138AFE9A788FE60,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465142Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:17.286{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51657-false10.0.1.12-8089- 354300x80000000000000001559027Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:17.322{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-25198-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001559026Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:19.499{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3D1712B6387F30F0BE0B93EC49E47AD,SHA256=817B3AA144520D2C624831B4D78A87D4DB73E3C219C76ECB14E22E3EBC23D515,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001559025Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 10:17:19.358{5EBD8912-18B9-6154-2F00-00000000FE01}2408C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\8EFF07E0-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_8EFF07E0-0000-0000-0000-100000000000.XML 13241300x80000000000000001559024Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 10:17:19.343{5EBD8912-18B9-6154-2F00-00000000FE01}2408C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\C073BBA9-345E-4F58-AADF-98D983B75502\Config SourceDWORD (0x00000001) 13241300x80000000000000001559023Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 10:17:19.343{5EBD8912-18B9-6154-2F00-00000000FE01}2408C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\C073BBA9-345E-4F58-AADF-98D983B75502\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_C073BBA9-345E-4F58-AADF-98D983B75502.XML 23542300x80000000000000001559022Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:19.139{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D1AF3DDF59FDEEC00E9BF599E0022DD6,SHA256=5C6AA3D7F6E682778E82B70624D5A2D62449C8EAFCDAF04E371DCB6965738CA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465145Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:20.808{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCBF1CA3E280BCD0AC6E682B9759EC13,SHA256=1099664853AA9CDB265842A61178DE509CE3076078EBD0989CA2D071CB62356E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559036Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:18.694{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65271-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001559035Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:18.694{5EBD8912-18B9-6154-2F00-00000000FE01}2408C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65271-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001559034Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:18.684{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65270-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001559033Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:18.684{5EBD8912-18B9-6154-2F00-00000000FE01}2408C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65270-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001559032Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:18.663{5EBD8912-18AB-6154-0D00-00000000FE01}908C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65269-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 354300x80000000000000001559031Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:18.663{5EBD8912-18B9-6154-2F00-00000000FE01}2408C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65269-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 354300x80000000000000001559030Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:18.491{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-32331-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001559029Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:20.499{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B4D954F89CEEA70075C5D8DFF1CA92B,SHA256=222086E639DE4EFCF124301BC87768F7870FDDC903452A1917A2AA20C2504A83,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465144Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:17.880{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51658-false10.0.1.12-8000- 23542300x80000000000000001559028Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:20.249{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B0B49722ACA076F9008F0207BD6E3E4E,SHA256=50EF155DAE0B9EB8797E31B0512F081638C387EBC2AAD765A5FD1B8C99970CC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465146Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:21.840{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=453B166EF65859F506109CB13B3EAFAE,SHA256=47022FFCA8732CCC54CF6804BE4B43C23D189EC70E2992365A639E4992460CE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559038Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:21.499{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3003BF0116D947818C1FFD5879D9EC2,SHA256=7F83280015C80317C52F800D793357E956A8EE7BB5547B9C38F8845B2C865D03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559037Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:21.327{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=477511E3492B3BFCA45C170CE550BE56,SHA256=11EEFC5728DF0316CE26DBDAA75E45C577DA4A739BDC0F06AB7DFED1E8AA3A47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465147Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:22.855{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB49F4AA1ACAA5815B4EBBA95FE862FB,SHA256=D903F2A0F8DBD48AF4D707BB525B893E94C0C4B6145FB5A936139C642B22AC22,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559041Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:19.601{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-54669-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559040Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:19.588{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-39237-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001559039Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:22.499{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A159F4413F02F429562D3E7140AC9AED,SHA256=95775D77C56D495ACBF4BD59F5C9FE6409E4418CD8F2D118C1DAFCEA9CB70F43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465148Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:23.886{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0537DE6D8FA3442C94A8AE7393C94A0F,SHA256=B1C37D50221470188B6A0CFC07382649428829689B708974F5C4A861ECB11CC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559043Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:23.499{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58388988453D8862CC768E78F0DF2E92,SHA256=47DBBC4CF1AFCC719E69705CC608D08C8C177DC42C2AA06886E2363DA6982A0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559042Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:23.233{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=70EE5CAF4086428C87CC094D026AE352,SHA256=0ACFF15BF379F137012C108206292A7EE53BABC48D1220ABD23AFF87BEA72665,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465149Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:24.902{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8F4B458E44BD07C9592226D659B6BA6,SHA256=44FA2A20536081C6A02287AC6BD6DA73519AB59AC499DDB1846DF9276C083E14,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559046Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:22.969{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-19952-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559045Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:21.584{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65272-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001559044Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:24.515{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D532D5FDFC57930A937326CA27E7D826,SHA256=FB593E19CC61BD358F622730AF0A7A40A17878C7118C313ED517C0E9A0059D80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465150Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:25.918{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AC89DC81640227964EF8A6BC25F4358,SHA256=08CC22859F04341990EC2A80CC902703B4FC5C2F82FEAD380F9C6BFDCBD72FE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559048Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:25.530{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C9A74399073414E74B96270DAC5A272,SHA256=F3AABAE0754276967298CE5D32AC7BA744DE7BDC18C855795C83019B2DAFC04E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559047Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:25.499{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F62AB6FE63692CA78DAC47BB327F573F,SHA256=B0CECAB6F10D8E86E2D3B196A28F788B0D1C569E6E7F11F77B9A5D8F4669C1B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465165Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:26.933{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59F14392A4C4A7E9C2C143C9FFC784D2,SHA256=699B0FAFE005D154C3044E8181E0E01A0BA3310844090A040CD96BD4C072C9C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559049Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:26.530{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5D27251995B705CA3C81077C2E7F7DF,SHA256=2982989B5BDE773D1A11F4B5BAB59D64D802BEADE05248849701FC68D9BA9B69,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465164Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:23.880{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51659-false10.0.1.12-8000- 10341000x80000000000000001465163Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:26.793{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-3D36-6154-DD04-00000000FE01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465162Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:26.793{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465161Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:26.793{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465160Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:26.793{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465159Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:26.793{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465158Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:26.793{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465157Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:26.793{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465156Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:26.793{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465155Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:26.793{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465154Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:26.793{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465153Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:26.793{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-3D36-6154-DD04-00000000FE01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001465152Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:26.793{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-3D36-6154-DD04-00000000FE01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001465151Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:26.794{69CF5F33-3D36-6154-DD04-00000000FE01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001559052Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:27.843{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=71E63ACC0F67D340DE3761428B342A08,SHA256=A46AA2495C3B5CDC60277F20C2143D9C4CD31F7FDDF01F0B7847FE4E3FA5E349,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559051Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:25.243{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-34240-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001559050Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:27.546{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=970D98C91DDD5FC00AEE135E9ADF41A4,SHA256=15DB11B5FFA360FAE370DB17A5043576754FEB9AD33B9154387666FF6BB3225A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465181Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:27.808{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4580A537173A29E676A63750176C1046,SHA256=C96694AF9402FC253184997305A7464DD52B5F830B3C04D6068819E18D212CEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465180Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:27.808{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E08B4BC233CE9CE16815D33702B4E093,SHA256=5FE89F17B469CD2AB94FE3CDF1AF465573E275A7CBEC1AAA4F610601F9ED71C6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001465179Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:27.637{69CF5F33-3D37-6154-DE04-00000000FE01}20042564C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465178Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:27.402{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-3D37-6154-DE04-00000000FE01}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465177Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:27.402{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465176Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:27.402{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465175Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:27.402{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465174Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:27.402{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465173Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:27.402{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465172Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:27.402{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465171Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:27.402{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465170Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:27.402{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465169Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:27.402{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465168Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:27.402{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-3D37-6154-DE04-00000000FE01}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001465167Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:27.402{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-3D37-6154-DE04-00000000FE01}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001465166Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:27.403{69CF5F33-3D37-6154-DE04-00000000FE01}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001559053Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:28.577{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72346C405AE233AFAFA27D2977C25F88,SHA256=CE0973CD0E98ABF8CC0C64746D08F419E9606FD2986C515EB9D8F37B5F71270F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465182Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:28.012{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A680DAA6ABDCD7AAF2240408C9C87FE3,SHA256=116CC514B7F47134F6868AF59C9A2B8C475D9A77A093E940CFD87D82D1A01A55,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559056Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:27.616{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-48782-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559055Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:27.443{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65273-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001559054Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:29.580{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34A64E42C2BE32802D6016C80170C672,SHA256=108E17E28F8D62D3078E03B59D5B0D321A51F2A464CBA59CFCC6001BF3A9826A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001465206Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:29.605{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-3D39-6154-DF04-00000000FE01}1344C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465205Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:29.605{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465204Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:29.605{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465203Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:29.605{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465202Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:29.605{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465201Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:29.605{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465200Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:29.605{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465199Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:29.605{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465198Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:29.605{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465197Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:29.605{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465196Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:29.605{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-3D39-6154-DF04-00000000FE01}1344C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001465195Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:29.605{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-3D39-6154-DF04-00000000FE01}1344C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001465194Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:29.606{69CF5F33-3D39-6154-DF04-00000000FE01}1344C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x80000000000000001465193Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 10:17:29.105{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001465192Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 10:17:29.105{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x008f22a3) 13241300x80000000000000001465191Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 10:17:29.105{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b512-0xd33635e0) 13241300x80000000000000001465190Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 10:17:29.105{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b51b-0x34fa9de0) 13241300x80000000000000001465189Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 10:17:29.105{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b523-0x96bf05e0) 13241300x80000000000000001465188Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 10:17:29.105{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001465187Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 10:17:29.105{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x008f22a3) 13241300x80000000000000001465186Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 10:17:29.105{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b512-0xd33635e0) 13241300x80000000000000001465185Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 10:17:29.105{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b51b-0x34fa9de0) 13241300x80000000000000001465184Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 10:17:29.105{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b523-0x96bf05e0) 23542300x80000000000000001465183Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:29.043{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=736577DBC555B5BFAD1B9789B8AC8A96,SHA256=83434591F928C7F5C94589CDE60EA3455458D8E710992486824549FA33951549,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559058Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:30.580{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE19E47ED27DCFCED7D71A03461CBA90,SHA256=8C8F33BA8EC944038B0F3E9DF1A01719A726B58AF11C63A8D6D6B6E8853F08C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465208Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:30.621{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4580A537173A29E676A63750176C1046,SHA256=C96694AF9402FC253184997305A7464DD52B5F830B3C04D6068819E18D212CEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465207Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:30.058{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5D36B642C84D488BADAEA9E5C5C878F,SHA256=DBE75B6D96A031EBDF1BFA23A6539CF68AD0EFB101DE39136ADE0DF80315C833,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559057Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:30.220{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=043E2F1EC9BC600F8AD1FC77098C09F0,SHA256=288618F3028307E5E42C888ED3F8EA518BCA6345512419FC3DD977CDFA7451E6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559061Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:29.985{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-4857-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559060Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:29.270{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-54251660-false10.0.1.14win-dc-429.attackrange.local49672- 23542300x80000000000000001559059Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:31.580{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1070FDAC6CA45761A1AB14292DF3A264,SHA256=245FD521B4C85B5B9D7B56732DD699C195DC7C90616E358E39D0BE4F150D2328,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465213Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:29.895{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51661-false10.0.1.12-8000- 354300x80000000000000001465212Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:29.598{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51660-false10.0.1.14-49672- 354300x80000000000000001465211Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:29.518{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-52235-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001465210Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:29.479{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-52049-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001465209Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:31.074{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9A0C243E5299F7EA46C979CE4220815,SHA256=78341552F0656B71158FC2B062200BCE2A7C447FFB3D3D4E7BB49E830A57E64A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559064Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:32.798{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AC5F32720FA844773F1C7A787B391E4,SHA256=F911B562120920926E47A65AEB7216B671CC165E57777AC64A23AEF176E67944,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465215Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:32.137{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F716C00375E9C0E57568D8EB7497B72,SHA256=15A6A24ECA26C3D8C9F354D7A51EB36B9ADA087223486F1813BA8FB0A6B5A587,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559063Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:32.564{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F07FCBEB6F93FACF994B49764FB49DD,SHA256=19594D2759B964562D5BBAD2ECAC7D8C9B0BA11B0FF5D1552DFF46AFE4DCDEB6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001559062Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:32.158{5EBD8912-18AB-6154-0D00-00000000FE01}9085788C:\Windows\system32\svchost.exe{5EBD8912-194E-6154-9600-00000000FE01}1296C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001465214Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:32.012{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0C9A401E0329F030FED793DA3CB8B833,SHA256=F76F4EA75E35956962202D94FEF4DDF0638E0F8FADDC3C86C3AE8136FADDC697,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559065Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:33.830{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ECE4B4F384EAD711BFA82D13B15FDC4,SHA256=9E2F61E11922B6ABB093F5B1B8CCFAF8F5749AD480DC8E2593D191C234DCA522,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465218Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:30.636{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-59451-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001465217Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:33.152{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34CA78F32A5E6902CB0B5196006486BA,SHA256=A8A4401837782392E8B46229C9A5B7B07620F8223676C9A91F36B4508EC5C999,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465216Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:33.137{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F7617E3582FDB72AF6C6A9F165DFE8A4,SHA256=D3D6A585816DCD7878419243A96FAB9942F59F537619CE90DF661D803278253C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559068Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:34.955{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B986476EF742C200A648259639BDC76,SHA256=E582CA14D4F99D241A9E0E6D80FAB4467120E7ACFB04132CC54CFD130208C05B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559067Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:32.304{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-19400-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001465221Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:31.742{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-7071-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001465220Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:34.293{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D4F7A1C06730B44A69364D5D2E104B57,SHA256=BD91ECB940771EBA607E2623314526119E083DF4E190FC9A964B6A85EFBB2765,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465219Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:34.183{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C5C58E9151724EE3165690A99A1AD9B,SHA256=A91E368F04497C49581F4CB686290E3596741E6244864D421D9445F379280BF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559066Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:34.455{5EBD8912-18AC-6154-1100-00000000FE01}444NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=61EB2ED2D516B72F084794FF8E6C23F7,SHA256=07595C1D2380922484909D80F4F9883F4811822991E0595AF7BD826423A7CFE6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465224Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:32.933{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-14560-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001465223Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:35.419{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C3FBD7D24104653C32C42953016689BA,SHA256=74D8947293B56E3562DD0DD50DEC55C71279888A8FD96FB8BF1BF8F36BEADA87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465222Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:35.199{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B0AEE19C2934405CCCA09FD9EA97241,SHA256=0DFB493784C192F9C90A776B1ACBE59CE3AA3BB82412D14975A420787F109E98,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559070Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:33.446{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65274-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001559069Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:35.189{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=47AE0003628C6E25AEE74C32AA5FD472,SHA256=DCEE51606964DFF3078A5013A6079EA31A6D1F7CCB6C53522C9140735ABAF8ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465226Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:36.496{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BAE38F1ECBAF949287F41BA30E6BD28A,SHA256=8F68829383A3089C39823E6B2E10F6F4458D8D24B4E999F4B8D1EACBE72C5FD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465225Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:36.262{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D5F877096D78249266D856E92767333,SHA256=610E9F6C8987AE6CF5F02AD752EFC1FF7DAACC8F23766CA926F186B51D83ECA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559071Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:36.048{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=303DD8F8A588597AF8477671B83589C9,SHA256=422CBE9F1FC280AD5E16A5AFD57721DE9DE52E85C3982CDAADBEB2235A559063,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465230Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:37.574{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9B0B46F7251AF69B4AB8DE09DE158536,SHA256=4069CA1678CAE6DB3B7C37960ABEF3FB838A8D082B8F35FF40AEFF8B386BB6A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465229Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:37.277{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BE369CF10C197A18E7308A6FDBB47E4,SHA256=57699E7F9D198B4100C9FD7C9F616EFED5BA1A8A11FF630A62AA8546BC09F4A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559073Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:37.486{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C92355DAB9308D58213240B7EC6FEEC1,SHA256=5E527BF131E6D413B36792EED7270BC9D9A45463A24673A244FAA0E4F92070E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559072Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:37.048{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2E138F00A0862A519758F7B15F0240D,SHA256=405B588182555C045804A18543DF60A1168C47539AD31C191659FB14766884C9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465228Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:35.136{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-27830-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001465227Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:34.022{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-21148-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001465233Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:38.699{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EAF581893D437180BBB88FB91C63D850,SHA256=1FF4FB2042800CA06F81E942035BBF84B52A5FFC83843463900E614999949946,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465232Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:38.309{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5747B16F21A1C58845FE37C76242171,SHA256=2E53BD92CD679AC21389FD5FE57A886CE0B82D2926648F80A2E59D78A986EC8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559075Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:38.095{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DACC18E0C1F0E7998641B1E801989D2,SHA256=4A761C42037C4423CE799687315AB86E78AE5001C3D168FBC466491EDDADAB05,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465231Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:35.755{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51662-false10.0.1.12-8000- 354300x80000000000000001559074Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:34.938{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-35964-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001465237Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:39.793{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5B58D769B38EE57BBB36D3FE2634EF7F,SHA256=ADEC876E1551B8C07376D4CAE4748FA85728C35E202D7EF98216233689E02AE2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465236Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:37.306{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-41393-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001465235Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:36.213{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-34827-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001465234Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:39.309{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF911F05E3237EDA77FBC500D6E565F9,SHA256=ACED21D49AA4CF4DAA1DBF317F75BB6D2EAF5722B3EEBEFC55037DE8BC33AA83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559078Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:39.927{5EBD8912-18B9-6154-2800-00000000FE01}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210929074147-151MD5=A9A42281E5AC80C7384A9CB787C868D0,SHA256=3FA67950307563E8508E097058F58FAD833FFA00CAA097776E12802F7A654FF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559077Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:39.814{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F83CC0FDB5B75D0E1D9A06EEB0D84A9,SHA256=5C876B6C5D79936D3ECF3341A389997CA70852024A70E2D2227CEE4CA3332E46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559076Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:39.142{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C4B3F8AE4BAB3729C0BE20BC7DA2FD2,SHA256=66907FBE33FFCD466DAE57E106D32E26ED072D876418FCAEBBC41783808B70B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465240Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:40.918{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=235F44DCB07D82A92C09F22580991FEE,SHA256=2B613219EBABA1A78FD40AC7C2946DF00F2BB543211DA432B1057372CDC00860,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465239Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:40.324{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46DA41946A2BE0E819FEC5DB7970A066,SHA256=D412237B72451BE27CB5B8311AD4B78AE0F373E47CC79979153CCFDC381415CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559081Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:40.930{5EBD8912-18B9-6154-2800-00000000FE01}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210929074145-152MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559080Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:40.147{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBF91072D63E95B969641C6FD339FE34,SHA256=5AE06E1FDA15E2D8E6316CB47E93A8F027BC194407212BE2CD6901D8318C292E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465238Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:38.422{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-48551-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001559079Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:37.271{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-50111-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001559083Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:41.838{5EBD8912-18A9-6154-0B00-00000000FE01}640680C:\Windows\system32\lsass.exe{5EBD8912-1892-6154-0100-00000000FE01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000001559082Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:41.162{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB7952723C4487E500A47E4A1C14E9DC,SHA256=D805AEE6A49AB785E3DF18E2857C34C5BF51BC634CDDE522A642944323D433C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465242Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:41.340{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22AA4E1DF8E5EF6229276CF4CB646A81,SHA256=66A8E8CF37D15A0C9EF333DB8DB648159D0DED3768923CAC5855DA23B6A60023,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465241Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:39.526{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-55231-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001559087Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:42.228{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=275651F67EAD67469CF183D708D6EA69,SHA256=E446EDB2B515999FD7ABDC44AE45273F1EDCF9AF7B8542D8B52ED103B25D4D36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559086Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:42.166{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53C25A535F86793FAB86C60DCC9E20F5,SHA256=4DCC64FF49FC1E3A444D43AD4F1C406B9CA9D2EC17ECEC869F2D584A53125030,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001465272Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:42.918{69CF5F33-3D46-6154-E104-00000000FE01}30361064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465271Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:42.731{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-3D46-6154-E104-00000000FE01}3036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465270Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:42.731{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465269Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:42.731{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465268Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:42.731{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465267Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:42.731{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465266Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:42.731{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465265Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:42.731{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465264Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:42.731{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465263Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:42.731{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465262Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:42.731{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465261Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:42.731{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-3D46-6154-E104-00000000FE01}3036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001465260Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:42.731{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-3D46-6154-E104-00000000FE01}3036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001465259Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:42.732{69CF5F33-3D46-6154-E104-00000000FE01}3036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001465258Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:42.496{69CF5F33-3D46-6154-E004-00000000FE01}22923648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001465257Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:42.387{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C730BC3B86BCDBF5F11842894D633D6,SHA256=4A4B56145516977CB2FFA2175AA52D2EE098D40F5DBBF4F8575C0DDA8A16F29C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559085Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:39.563{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-5518-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559084Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:39.341{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65275-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001465256Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:42.231{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-3D46-6154-E004-00000000FE01}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465255Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:42.231{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465254Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:42.231{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465253Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:42.231{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465252Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:42.231{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465251Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:42.231{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465250Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:42.231{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465249Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:42.231{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465248Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:42.231{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465247Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:42.231{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465246Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:42.231{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-3D46-6154-E004-00000000FE01}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001465245Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:42.231{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-3D46-6154-E004-00000000FE01}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001465244Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:42.231{69CF5F33-3D46-6154-E004-00000000FE01}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001465243Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:42.043{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2C67E97668D06E16D1EFF22C0FDA045C,SHA256=6AEF5B9F64F7E814C0D70F359CFC13C3AA32FD182DBABE879E2E9C253A0CDE6E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001465304Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:43.902{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-3D47-6154-E304-00000000FE01}352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465303Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:43.902{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465302Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:43.902{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465301Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:43.902{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465300Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:43.902{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465299Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:43.902{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465298Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:43.902{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465297Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:43.902{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465296Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:43.902{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465295Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:43.902{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465294Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:43.902{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-3D47-6154-E304-00000000FE01}352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001465293Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:43.902{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-3D47-6154-E304-00000000FE01}352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001465292Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:43.903{69CF5F33-3D47-6154-E304-00000000FE01}352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001465291Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:43.637{69CF5F33-3D47-6154-E204-00000000FE01}30561824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001465290Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:43.496{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EEC8E10363E61FEC2BC871B9972B01C,SHA256=FF9324A1170F358562ECFFF8EFD4C607FCE5B762AA5D337C869087BD85BA95E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559094Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:43.166{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EC92836C9E32CA4109037E2224C91FA,SHA256=50818FFAA94EC0AD82D923055215E93DE19C6E10D005328B656E9AAFFCF82B7B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559093Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:41.160{5EBD8912-1892-6154-0100-00000000FE01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65278-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001559092Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:41.160{5EBD8912-1892-6154-0100-00000000FE01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65278-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001559091Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:41.057{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-429.attackrange.local65277-false10.0.1.14win-dc-429.attackrange.local389ldap 354300x80000000000000001559090Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:41.057{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65277-false10.0.1.14win-dc-429.attackrange.local389ldap 354300x80000000000000001559089Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:41.050{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65276-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001559088Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:41.050{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local65276-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 10341000x80000000000000001465289Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:43.402{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-3D47-6154-E204-00000000FE01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465288Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:43.402{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465287Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:43.402{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465286Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:43.402{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465285Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:43.402{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465284Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:43.402{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465283Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:43.402{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465282Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:43.402{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465281Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:43.402{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465280Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:43.402{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465279Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:43.402{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-3D47-6154-E204-00000000FE01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001465278Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:43.402{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-3D47-6154-E204-00000000FE01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001465277Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:43.403{69CF5F33-3D47-6154-E204-00000000FE01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001465276Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:41.760{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-10509-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001465275Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:40.786{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51663-false10.0.1.12-8000- 354300x80000000000000001465274Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:40.650{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-3565-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001465273Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:43.121{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=39526F5ACE3B3C254F9C5FDF51312C4B,SHA256=C97D171D65B8951946EFAEAD345D35F5047BFD6DE5995C195C9B8A706AAE3D3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465307Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:44.512{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F7E13F8E82B28C2ACC97A59AD5082F5,SHA256=249431CB774B7FF7BD1AAE65AF2F04E429E8B360B801972BEBB7E6D0CEA7CBDF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001559124Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:44.619{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559123Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:44.619{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559122Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:44.619{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559121Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:44.619{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559120Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:44.619{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559119Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:44.619{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559118Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:44.619{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559117Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:44.619{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559116Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:44.619{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559115Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:44.619{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559114Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:44.619{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559113Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:44.619{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559112Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:44.619{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559111Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:44.619{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559110Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:44.619{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559109Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:44.619{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559108Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:44.619{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559107Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:44.619{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559106Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:44.619{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559105Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:44.619{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559104Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:44.619{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559103Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:44.619{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559102Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:44.619{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559101Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:44.619{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559100Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:44.619{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559099Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:44.619{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559098Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:44.619{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001559097Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:44.447{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=13D3A76AD3C3FB71AFB3213339F25106,SHA256=4C88E697382CEE4989786C8A72297EB2D852129FD79D70BDF444C29CC97C261A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559096Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:44.166{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46DFBBCF12FEEF6B610BA1E38086569D,SHA256=FFB033341E38236B688BCD474072D32D613525C89DCBC00DA0ED394DFCE702B0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559095Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:41.904{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-20809-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001465306Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:42.838{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-17335-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001465305Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:44.215{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=485AA51FB0EE55F35096F9F52C1F758C,SHA256=88001B86D8D5D93CD2B6BAC8E34D5D4D40B88FD2F130B252D2E41C2E43B2AF75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465309Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:45.543{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CDF32AF9F56492AECF95C0DFA6AB977,SHA256=222BAB8E6DA1DA721D6665F4CD911C6AA10B270A1D87E9EB22CB9F663CC74D78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559125Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:45.603{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89EAE1450FFD99962327885059864C36,SHA256=42D1F0476689B2D4DA266A1EA4D562CE3BC591D7CC6CE388CCA7C9840A5F5F10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465308Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:45.293{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1CF263424E811023E94C57677FF270BC,SHA256=65E1D3E7329097876111AFFAD7D8E99EEDD188D74349C94989D912449E22E09E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559128Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:46.791{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A34AD0B26B606CAD9974BC4012A1124E,SHA256=62C5CCF316386233EFB3F7345CA5440D830B8AEC759402B28D3072C81A600FDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559127Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:46.635{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C5650DA9C63274E04EB13D1D226DDE9,SHA256=CCCEB30B9E8CA038624B40E1E8ADAEB790225CBE18A89D13C8DE7DDBD285A2F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465311Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:46.559{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CD3E1376F4721A7A41B35E98BB717DF,SHA256=DDB4E9E941DE0D7150943758C2805B56BF85E703FEEAE2FBF6E044D336973A26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465310Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:46.418{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F88A48AA7A9E04B1B07A9D183DD31426,SHA256=BE2CE33E05F4F8399923F541331D726CED1D5BB1657A38CFF0FE12530C232728,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559126Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:44.210{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-34624-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001559131Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:47.681{5EBD8912-18B9-6154-2900-00000000FE01}2960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559130Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:47.681{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=033FF7C9A97D40A200E1DF49C6EBFEA2,SHA256=3FB543A084F5509D6F3C11F152C0914403C5717B2B10A1F6E3372F954C239B06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465315Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:47.574{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FE0DA587E3846D00B116DF8662230BC,SHA256=93B019535DDBF357DA5EF4E59C8EB87891611AA4EAFCFAD47FB0950F546383A5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559129Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:44.563{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65279-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001465314Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:47.496{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA2650463C13BF843FF2D8C4E74762DB,SHA256=BDEF0C9A6A15EA782BD0DB9317BF5EBC42B211851F0A303CB90375D7D55A762E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465313Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:45.047{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-30955-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001465312Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:43.932{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-24122-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001559132Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:48.751{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49F852919F65C238C2DA9D14CF187645,SHA256=85D6F09A69FF8BC684314DD4399C716765171DACB630B0E72FCE5B9DF502E022,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465319Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:48.621{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=688251B1DACAA2BE5D98DC600DADC995,SHA256=65F78478B2132AC6934B0DE024937CC15B9AB70C9880F5214FE143990AC0F541,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465318Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:48.590{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72BDFCFF27CFC484121748B89E91AC98,SHA256=74C7DE6E0324429E5B5C8CA6E1F9C84813E436BFAF958B49274B8315E1AF9216,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465317Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:46.135{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-37989-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001465316Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:45.864{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51664-false10.0.1.12-8000- 23542300x80000000000000001465322Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:49.746{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B0C814FAC7B1C2FA9CA2C59E797B8755,SHA256=2C8C9FE4546B8D6A1DEA069C384E6AD511E8208386BB72D495D238236388CDE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465321Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:49.621{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88DDDB6A07618AFD74D04E4F03E664A0,SHA256=4DEC08DF9211186C5322D39177081823C4963DEEFF6945045D3AB7B67CFA0486,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559135Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:49.751{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E1C199982E0531200F5E25FBC145A6A,SHA256=845B73599CDBA4CAFD6A785411014EEE4B80A107966B7A16139A315B11671733,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559134Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:47.071{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-49177-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559133Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:46.985{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65280-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x80000000000000001465320Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:47.225{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-45020-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001559137Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:50.751{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38E761976654B446F45250B15ECD039A,SHA256=D81F5B3D2CF245C883BCB47146904D7D178125A5B1E4FE9935DDEDE2114E6DF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465325Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:50.918{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A4D9C1FAF743DB849C55EB3A347DBBA7,SHA256=C5362AF699923FC522B109D4DEF85C5F068B9688E501B7B38BBF3A9763EECF4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465324Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:50.637{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E53D95A225A1C5590367453C17B5BA2,SHA256=C9D4E9B003CFF155F851AF3800AEA3373E2F4B9433B4F71242F90A10B7D1A02E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465323Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:48.353{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-52034-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001559136Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:50.735{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9883AC4FC71B828A58C1ECB5F7D2FF26,SHA256=C9427B00A6AD5456DE4B5BDF8951B34D9082A950B9D0F1AC9C389A2F4262C52B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559138Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:51.985{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E84F45C315358BCC0F650C8CE4E6F3CF,SHA256=C56E8F6774FA03AE17637C7929E98FDE815EA79EC8DEF5D39B2A016633D93C77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465326Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:51.668{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3F1413AB5F16EB0A5F6572CD68A69F4,SHA256=FAC8E9FB5E26CC69B2822AE85E9952AF6A903B822E0B913BDCE844EC50F3B50E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465330Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:52.746{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4413A1464D720C70CDE9665E55DFF81B,SHA256=DACA75FB6D46461EC5AC159FDF835B9762C0B4BB1A3C6C5147D58D93FD2A87D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559139Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:50.429{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65281-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001465329Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:50.649{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-7194-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001465328Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:49.480{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-58854-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001465327Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:52.028{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C328E65EDB297F11E0CE103CB67943E8,SHA256=674701FDDD35D7845664B35A542B20FB30CE8C0E361F88800C42BF60F9F6639C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465332Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:53.762{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72600B760E81C8B04A64528229830016,SHA256=813EC5C6A5FDA06C069C1FCC2C4895305C17D663BEBA2AE878827824D62D203A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559142Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:51.198{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-15031-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001559141Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:53.610{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=508D4ED8FC49542F685CE68C00FD9992,SHA256=8F594F802FD05548DAFF2CFCDA12DC93993FF8D3755351254B097D45331EAC78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559140Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:53.001{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CFB7800E968C39FC5E0390500CDC913,SHA256=1A0254E472603288351103D2A21CD730DE6396708F4335E0B8B0C81A4F06BA9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465331Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:53.092{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CE2D409D9F0024FA34E58BF4B965965C,SHA256=FA1E3E012AFF6F964F22CD5401B5A88B9152D5FC079D74495E48C68D10A8D728,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465336Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:54.778{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69803C976DD215CEFD81CF2E83D87CCB,SHA256=0006E7AC5543B04DE1F7020AE12270C00BE34B493707BBD3BE16DA57A1D54B8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559144Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:54.923{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0B1C8EE9A65D518EA9B7D69CB2D11854,SHA256=36B722F37E31D85EBD15D1DDFC475939D90647B0FF9ED7344006CC126E5563C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559143Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:54.110{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F61CDC6B2C7071BED6015434028CDFC,SHA256=BEFA7C68B9999DDD1ED2BF2F216173EC136B9C4F414D02DB9F5D8BCB8B1483C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465335Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:51.848{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51665-false10.0.1.12-8000- 354300x80000000000000001465334Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:51.744{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-14421-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001465333Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:54.246{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=59B8B7873002A82A6E2B46F1FD1B123A,SHA256=CC0EE8E715555BC5B2849E41379365FA9EF9B80379D74B07D68399D9E80C881F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465339Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:55.840{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6DACFEA184EE3B5FA062DC49014F349,SHA256=32C886D106BE8AF1A3DF267E9EEAA6B8965B9A1FD88C5B5A957D2DA791BD54C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559145Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:55.126{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=347627A21D96BC90BBB1299DEDCADF5A,SHA256=8F08BF88A5BC7693A9C70E1C7C341785D344A07BEEA9F1A4F93DE9ED3C4BFE8F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465338Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:52.854{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-21447-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001465337Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:55.324{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=47CA0F75FC70A830034DEA61E6B19E4A,SHA256=E7811F00FE7F05C9976222C030092641C460A63CFA3611E7BDEEED5595F4C021,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465342Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:56.841{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E09D6184E758C39926EF3A5FAB7C893,SHA256=14583D55A12B7ABF1F36418E8E79038020B56BF40DBD86D9D12C2E7E184B1ED8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001559154Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:56.751{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-3D54-6154-1E05-00000000FE01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559153Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:56.751{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559152Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:56.751{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559151Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:56.751{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559150Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:56.751{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559149Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:56.751{5EBD8912-18A9-6154-0500-00000000FE01}4165172C:\Windows\system32\csrss.exe{5EBD8912-3D54-6154-1E05-00000000FE01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001559148Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:56.751{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-3D54-6154-1E05-00000000FE01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001559147Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:56.752{5EBD8912-3D54-6154-1E05-00000000FE01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001559146Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:56.141{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=237A439C8B93C362371AE34780A37324,SHA256=98F67D4BC289E37F50E5036272F7112A438E7B326A69F6E4B877B0E6DC26AD8E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465341Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:53.963{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-28628-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001465340Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:56.418{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=582078200795DA9E2AAE3E943F589A81,SHA256=1E416CE188118C06D3B75D40C2D92C3885A12008473A102EDFC1022A52DE330E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465345Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:57.950{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7B94EAA9B0A2AE557EAD450DD649103,SHA256=A42C96DCC54D5E0AB949DEC6A0C6F569807BB7D78A267FD8F039DEE770F64376,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559167Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:57.798{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5D04E16DD4ED034C0446C83AD5E1CA2A,SHA256=03EBDE8F38CADBED51CB8E7DB87A54AFCC8CB007FB67F851EF673BC52E53AA40,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559166Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:55.461{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65282-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001559165Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:55.152{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-40643-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001559164Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:57.595{5EBD8912-3D55-6154-1F05-00000000FE01}47164464C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559163Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:57.423{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-3D55-6154-1F05-00000000FE01}4716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559162Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:57.423{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559161Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:57.423{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559160Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:57.423{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559159Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:57.423{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559158Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:57.423{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-3D55-6154-1F05-00000000FE01}4716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001559157Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:57.423{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-3D55-6154-1F05-00000000FE01}4716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001559156Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:57.424{5EBD8912-3D55-6154-1F05-00000000FE01}4716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001559155Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:57.173{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=493320DFE46F9E1919A3BA1136D63A18,SHA256=FD9B56BEA5BFE1ADE8BBE8F0E58CB91FB2162AE9C0488EAF4838A742A4D186F6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465344Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:55.043{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-35599-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001465343Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:57.543{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C8C9DB75A8249A1F99B3B0EBA6EB167B,SHA256=433BD61B3067F46BB019140DED63C4E8A6DB6C21E5D6033C780DF3120D3B3CBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465348Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:58.950{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B168D26E04D6C44DA6FFFE082DFF713,SHA256=CFAE2D6B50B66C1617FEED5FE9EAEAFB131BBEDF2F4A504D0B962751BB34A6C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559177Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:58.954{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B9B81572674E1CCD1BD30C551A42323,SHA256=50B99C56A0EEC80875AAA2AA03CB3A0694E55F37EEAEB8B2F30DD46D3C46779A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559176Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:58.173{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C53C70763078E72EF93BF82E5A665130,SHA256=A3A90889932D321EC459303BBEE836EE583E0394ECB523D6B0CDBBF747B2E5C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465347Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:58.700{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=093057DE4F74D26AC72417A125979C0E,SHA256=52FEB5128FAC4597EC34ABB2DCF7434EAAB01FF6B548313B39DF532C883DF57A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465346Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:56.150{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-42566-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001559175Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:58.095{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-3D56-6154-2005-00000000FE01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559174Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:58.095{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559173Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:58.095{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559172Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:58.095{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559171Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:58.095{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559170Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:58.095{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-3D56-6154-2005-00000000FE01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001559169Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:58.095{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-3D56-6154-2005-00000000FE01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001559168Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:58.095{5EBD8912-3D56-6154-2005-00000000FE01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001465352Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:59.950{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B44F7CB23E12D53E7705314D479C173D,SHA256=14BCC8CEA36016E5DA26A95539687B78FC66FF6EF377C32DBEBC16F75ACBA26F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559178Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:17:59.173{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9EA7F8056B2BA203C183C6E627BB7A5,SHA256=486FE42EFBCA876D5C950266E3CD7592CBD0C5E7F24B6284C44BD839135E4C70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465351Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:59.825{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E942368212B8F8CEE138022D03989577,SHA256=765375BAFF8CC18AAB101CF4CB1D3C01BC08D8C020188A10009528F2BE61D975,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465350Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:57.880{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51666-false10.0.1.12-8000- 354300x80000000000000001465349Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:57.275{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-49636-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001465355Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:00.965{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4348D424A4B8DEF7E32F99927ACB545D,SHA256=913024DE32CC920AE18ED516183F929001814EC7D640530BFE20D8C0E28CB330,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465354Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:00.965{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2F624C5FF37EC31C2494946432B5705,SHA256=90B3B779C26CFED22317009FC72E1B020C9D21BF1A4BC415C3136071787A716B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001559188Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:00.954{5EBD8912-3D58-6154-2105-00000000FE01}8163852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559187Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:00.767{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-3D58-6154-2105-00000000FE01}816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559186Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:00.767{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559185Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:00.767{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559184Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:00.767{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559183Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:00.767{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559182Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:00.767{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-3D58-6154-2105-00000000FE01}816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001559181Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:00.767{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-3D58-6154-2105-00000000FE01}816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001559180Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:00.768{5EBD8912-3D58-6154-2105-00000000FE01}816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001559179Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:00.173{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA14666C9DA4C9252849D11C6C708AD0,SHA256=1A5A4DA90976C96C11CF3D91DEE020693E4C52DC44DCEFDC43FAC4F95F29AA07,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465353Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:58.430{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-56805-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001465356Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:01.981{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F884C3E4FB1DB0EAD079AC8C94AFFE1,SHA256=7A8A89678E4565A0CB0ED27625C4FB2D517332B55000440DB4FD66CBA33BCEAA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001559209Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:01.938{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-3D59-6154-2305-00000000FE01}4844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559208Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:01.938{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559207Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:01.938{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559206Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:01.938{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559205Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:01.938{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559204Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:01.938{5EBD8912-18A9-6154-0500-00000000FE01}4165172C:\Windows\system32\csrss.exe{5EBD8912-3D59-6154-2305-00000000FE01}4844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001559203Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:01.938{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-3D59-6154-2305-00000000FE01}4844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001559202Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:01.939{5EBD8912-3D59-6154-2305-00000000FE01}4844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001559201Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:00.008{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65283-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001559200Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:00.007{5EBD8912-18B9-6154-2700-00000000FE01}2944C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65283-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 23542300x80000000000000001559199Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:01.688{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=453841270887273D79200091C016A1A0,SHA256=5639C3796FBA998B3D9F38FEEB4516CD1A91ED6451E166ECCD4B2ACEC197A09A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001559198Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:01.657{5EBD8912-3D59-6154-2205-00000000FE01}33003876C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559197Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:01.438{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-3D59-6154-2205-00000000FE01}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559196Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:01.438{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559195Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:01.438{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559194Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:01.438{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559193Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:01.438{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559192Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:01.438{5EBD8912-18A9-6154-0500-00000000FE01}4165172C:\Windows\system32\csrss.exe{5EBD8912-3D59-6154-2205-00000000FE01}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001559191Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:01.438{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-3D59-6154-2205-00000000FE01}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001559190Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:01.439{5EBD8912-3D59-6154-2205-00000000FE01}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001559189Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:01.173{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4848969EEE76983C9ED3D7035213915,SHA256=42B3A374EB12A95E70B03F7E6AFC5D75FF5EA9B23042F08034834D1751B6BD0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465360Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:02.981{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=707AA5E536BB9FDBCDCF32B0A2A869A9,SHA256=804FCCF914852DC34191CFAE79C52E9ADD445ED92784F13CBFB8EE6E82FCC3EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559213Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:00.476{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65284-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001559212Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:00.355{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-12112-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001559211Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:02.220{5EBD8912-3D59-6154-2305-00000000FE01}48443988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001559210Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:02.189{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30203888C9422F6C30E580EB080BEE5D,SHA256=77B2F1E565439092867B1995E2D1374E36A650CADBD49BD1AB6490C7B4974402,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465359Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:00.682{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-12024-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001465358Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:17:59.555{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-4849-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001465357Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:02.043{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=45E472F4CFFA36B1AFDB1A90B59DBF24,SHA256=3A3E335D19F46C88A5BA71B7137BC120D8B8EE75432AD17570BFBF0D5A3D1EF4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001559223Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:03.454{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-3D5B-6154-2405-00000000FE01}668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559222Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:03.454{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559221Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:03.454{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559220Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:03.454{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559219Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:03.454{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559218Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:03.454{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-3D5B-6154-2405-00000000FE01}668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001559217Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:03.454{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-3D5B-6154-2405-00000000FE01}668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001559216Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:03.455{5EBD8912-3D5B-6154-2405-00000000FE01}668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001559215Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:03.423{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E77EDCEC5753B0E79B826C25A0D62A3A,SHA256=8D4731628077550E227B5CFCC5B113B43816B3DC03D643BC4BA4C70F867D3FC6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465362Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:01.772{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-18661-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001465361Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:03.169{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B44DC88F66476B634335A8416E50C7C,SHA256=4057281F3381AECA12707AEF597A25B2847D04CC1B5AFEA1D66B0AA677DF2713,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559214Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:03.157{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=08BA9010C821CDCF6B73EC250EE8635C,SHA256=16A3E864EA7E0B83068E1F2EC919414A6B75ED539C7587B8D2D7B7D7CC0998C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559225Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:04.501{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EB6604925663BA3F46D751F3864AAE5,SHA256=3B40110BB333BEB6989E5F6A685BD7775B67768C396EAC54977ADB50F84DD0DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465364Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:04.247{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A8C9A885265A5CD5638CD8ED54169B5F,SHA256=31631F67597CC734434BED92368CAA19736B1CDA8BC61A9ACB95D224F15BA634,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465363Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:04.012{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D1E51DE9C6BC78D5386733DDCBD760D,SHA256=704389B3D8956C2968373BA474C1B2B2E023A78DE765A2C8A7737A037A2E1C9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559224Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:04.470{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BADE4E93C66C0957C9570311D1A2D744,SHA256=F8E8F405B470730EC87FB436AA617C33BF733CAF6D5044516C0C294FDB01E78D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559226Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:05.610{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F62515D8B35A60870B8D1C25863E9178,SHA256=C74FD76F89398F0A390DC1B7121651605112FF7EE3D6F556A638989B7CE3FC49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465366Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:05.372{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A42BEE27FBD6E2010F1B91B41FCA7F22,SHA256=0702CFF04862395EAA93677132055657DC63A6A70E7ED98EFFC61A44D360A277,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465365Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:05.060{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D384F5A7223D0ECF4986B3528D73C0A9,SHA256=D9A8DF7E2FC9756E49B391F325CF2784CABDC245CD266608B5CA327EB2545884,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559227Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:06.610{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23A156E7140FB5B67FD4CCA669120714,SHA256=913FDD6503E2B068F6DB4454D9F11CFEE74DCCEB03AD3FAEA555FD7D10143679,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465371Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:06.465{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8067809B873564E3CB90A3DA1A350B5C,SHA256=ED2095BA5130210A1E063BDFAF9982B61BA100D6B2930175EC7BB01829A77069,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465370Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:03.975{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-32515-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001465369Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:03.848{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51667-false10.0.1.12-8000- 354300x80000000000000001465368Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:02.885{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-25805-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001465367Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:06.106{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F24BEDA0E9BA448C607A19695D7EB1F0,SHA256=752AB22736BD289245430850AA82FF56F98E2278B609FF3A0A8B535286135497,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559229Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:07.626{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B42A85DD10F0ECD9EE12394EC57A0B98,SHA256=9005D1683B7D0D47FA860B607B3BB790EC0836C58D90156B48BEA1F273F9660E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465373Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:07.559{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DDA0C10B42D3B42446046EA8971E70AA,SHA256=C7153607E28CD38D837505FA32D3169BD3DE26DF852AE1B6B47B959FC19B3A54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465372Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:07.137{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C34D96663888C4C2BCA4B2CBE9FCD2B5,SHA256=17C5D29608A64F163D60F13723CEAD607079915B849DEF88531C61BBA1D23BA7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559228Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:04.379{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-38263-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001559232Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:08.740{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7B2DE5498DB0DE872B81AEDF615E07B,SHA256=2D8A684655DA98DDBE26AF0CB96DA7F76F211BF4EC2FDA5EEE57961C4017C114,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465377Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:08.731{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AFA9C7736DB4F378D360F7D2808256DD,SHA256=C8E5F340F59E40F722A223CF852AAA56687608BCB79AE60C8E7353339C1391F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465376Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:06.187{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-46375-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001465375Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:05.096{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-39412-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001465374Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:08.184{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47565F3C93CB08CC3BE8F030EDB42B90,SHA256=C637C20319917605BF74C8F0DD378AC3F566244D7DADEBE492FA8ADAB5C72470,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559231Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:06.414{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65285-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001559230Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:08.126{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A754069F0A898C432F86AE58F4CD90F2,SHA256=9495C8CBCE14F1DE709E7674ADC53EB265C5EF33B5BF169459DDEC6207F14955,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559234Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:09.740{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=441AE6D0A1C78C0CADBD1D4147FF1D57,SHA256=5FE278BDD1A3E187811EF1F1D0FCE598DFADCC8282251F330F90488E317F9C75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465380Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:09.858{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E77CFC0A07EA7346BE5D7C5A9FFFA275,SHA256=48564F9FEED8F6C9E7E7ADA33483EAFDC786F332567D836591BFCE38F2A8905C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465379Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:07.313{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-53225-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001465378Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:09.231{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A0120621E48509D56D3C0404DDED0C6,SHA256=1C955693626A033071C496B343162FDF70B23DD9181AB01B54E61599B7AAD22C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559233Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:07.056{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse116.203.147.165static.165.147.203.116.clients.your-server.de62393-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001559237Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:10.740{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43E4D454EE672A218930F9E71D45E144,SHA256=A8452B76ADE3B2746519E3C476B0D8B76E151DBB0DD55B8A59561102F6B0CD6B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465384Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:08.880{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51668-false10.0.1.12-8000- 354300x80000000000000001465383Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:08.463{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-1668-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001465382Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:10.264{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D38ABA8415CD578F526799D08D07D51F,SHA256=7E264E5017928B8B2B4641B9F9B9014BB2052EBDBC3D8BF98883711DDE72E5E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559236Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:07.758{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-4159-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001559235Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:10.240{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=39D12C066F43B84931253F049F1EDB52,SHA256=AAE722DB7F0C9533E3A42FD3F7E27D6F755B61F66EF327F063C94397F5836E6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465381Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:10.000{69CF5F33-189A-6154-1B00-00000000FE01}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210929074117-152MD5=0702FCA431B00B594F1E453E1BACB4E7,SHA256=E8701800C5303E9A26BD1B4295F1925FD873002633D318A1D6DD61AA6CF56A5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559238Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:11.740{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD1C2959424A92307064F3D7BC7C0554,SHA256=CBB645758DE082E29AC7F650BB9965A8B2490F88FBC20B17955D99536D5D7975,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465387Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:11.344{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=838C66606868A466331645D82ACE45EB,SHA256=77BD39DCBBDD7CA64CCA14C824323876A70EB046F404BD2332E2C72BA1497E9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465386Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:11.015{69CF5F33-189A-6154-1B00-00000000FE01}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210929074115-153MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465385Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:10.998{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8FCAC29C4D247D5895E14BC0419343F2,SHA256=75A5E36D4AA828063E0F36601838E2370B3893B6192CB2133751F6D1F3D0C61D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559240Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:12.740{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACAB37989FE0B441F4334F43E26CF37A,SHA256=41CB8CEEC0ECB3C389264FFC76F796FD6F44EF8B2FAB141A55515F10C4A252ED,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465390Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:09.596{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-8595-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001465389Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:12.362{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=762C1BB57BB044A82438671647F0F15F,SHA256=4F551709543597F1FC7E30CE32AADF060601AA50EE8DECB398117B8CD586AB39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559239Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:12.537{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=428C1BFE9A199F4EE5CB60ABEBEDC43C,SHA256=461E93530CE3E810552FE76FAD8BE97C5E8B4286F80A5BB1C8F533D88C2F6867,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465388Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:12.081{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=787C112EBB321B776DDC008943E450EE,SHA256=E4D04C2BB4883E3A365B6F387A6A5A1A2DB9F585E77ACCB18F98DE049C7624C8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559245Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:10.762{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-33074-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559244Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:10.723{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-32963-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559243Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:10.592{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-17457-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001559242Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:13.740{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=269A55574B2EB96D2B646694553AAD01,SHA256=B16DC78B730FE13D34D1F80DEA5B98BDF83F599FEA71F19F89AA12B2587B4B84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465394Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:13.487{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CDE1798857DA89D71F3A89FCBC95BC82,SHA256=811CEDAE5CB4B91A6F26C877FC7ECD718F234F0830B6B5E9F50B5FD397BCC2AD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465393Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:11.825{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-22820-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001465392Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:10.715{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-15942-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001465391Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:13.393{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AE2EAE30B0DC7C03C5E9ABA86F96B3F,SHA256=7FABC6C2F12951D18FA8DAE93AF106752716CB00F4E08000C0213F002B3B8505,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559241Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:13.662{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4A9B9C6E81417375A78F8D5EEF62F670,SHA256=907A14A6DAA52C7848C4974BA673BD8966AD3CD2F784BB905A1AC44ADAA74469,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559249Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:14.990{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CA1230067271051BC12581202134663,SHA256=512D6F591AE4C7DAB4165DE9C65006AD41C0C588065F32CADE573A297A9370CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465396Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:14.612{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6DA18122F4F8C99A75293EDFB3025C42,SHA256=209C5F7E9A822CBC7785CFF0F4B9DC48910FF86376F159CDEB55A36CE10E6664,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465395Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:14.440{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAED8B0EE1DDA318EE18B6EF71F86249,SHA256=AB9A2EA14EB8454BB8E2F69FF756E040573858AF83284F280EB0870065FC880C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559248Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:12.356{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65286-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001559247Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:11.898{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-40128-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001559246Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:14.724{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CFD59BCFE930BB6F50FFFEAD71F98B84,SHA256=E6B9E789FBAB5271827AEE16B90AE0E74841ABA6E155F6E67DDC28A699583BAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465399Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:15.690{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5B330140336FD8AF86B08F85F5250236,SHA256=0AFDCCD78A1F8A517C1F1F919AF5DFA5778235DD3639307F629054C6CB00741D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465398Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:15.440{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0459D2581A256891B1DB969A7609757A,SHA256=B5BE0053E357B4CA9458D0EC440A92A7ECAE61E1572146DA7E8CC00B06B74E06,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559251Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:13.001{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-47191-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001559250Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:15.865{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DC85891530C887460961F0C81D1459BF,SHA256=04C4EA45C4E5C3AD7F833ECEA47C03903F498537534403FD601297C88255F0F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465397Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:15.222{69CF5F33-1899-6154-1300-00000000FE01}296NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=D4AF3F04C0511E5D5BDCF12F33C2FECD,SHA256=BBB17BFDC57C06B98D5279A12CB6C527A96A6E98E09E8DA368A79F7FDA530C6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465404Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:16.815{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0210CC099E2C4320DFC5E02E61B03EF3,SHA256=57CFFAEDA98F25DCDF166F4F8612CFABB9665D51B6A8D69AFA27DD8E940AC3D8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465403Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:14.886{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51669-false10.0.1.12-8000- 354300x80000000000000001465402Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:14.328{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-38510-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001465401Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:13.218{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-31382-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001465400Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:16.487{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BC59BC27ADAB76F09F03AB52A1CE8AD,SHA256=5645343BFF9F093DAF94C0971D9FAA011CE939CA2E787FD4C2999408E4D8BE7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559255Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:16.990{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A0D9709F62B8D295F73B354DA93FD07,SHA256=336C62E734E2F2EB335C9B0B3CE960D71AC4BB06C4C95D35A044D7A09AED6BAA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559254Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:14.092{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-54144-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559253Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:13.980{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-42989-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001559252Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:16.068{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41E713FF5E670C55341516B29990B57A,SHA256=6AC26FF1F382FA5AD798BCDC48A24E0508BA97778A7840CF5935FB9171AA4960,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465411Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:17.894{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0DF9B78E45AD0CCBA8B84469F4D4389C,SHA256=536823195A5B367AA8283F9672A13E514DB671F2932722802EB63A2C4FE89E95,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001465410Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:17.800{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465409Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:17.800{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465408Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:17.800{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001465407Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:15.422{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-45465-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001465406Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:17.644{69CF5F33-189A-6154-1C00-00000000FE01}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465405Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:17.520{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5015EE3F1C962B81E47E88CAA267079A,SHA256=F1F477C874F2FD2A288A662EE2E3CC199733A49B898BEA999DC5E5A9A3115937,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559256Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:17.084{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E6A2B5854B0758C7BA734E306B41C28,SHA256=1D2EB182F7BF28F93E10BE0BA58827555DFF3B59447E866E51DE7F840D34B555,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465413Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:18.972{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FB28DE2988FCA912D79D79B7BB2FB6F4,SHA256=9578CA8334F01549AB904AD84509D93FB97C4C1E3C6F3BE7EAD17285F949DBF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465412Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:18.534{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE423989E059CC4DD7F6AE4C7889B03E,SHA256=5B7F1A4E9D34720DBB18F77EA94A1BC12693D2C28CC52CE7ED2DD32CA70EFA53,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559261Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:16.786{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-56258-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559260Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:16.331{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-9123-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559259Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:15.221{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-2106mzapfalse10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001559258Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:18.099{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B88F21FC6A0488E3DA07E0889CF50FE,SHA256=77BC609CF672656F4C1C1ECC7894DAA98E2F105A5154FC099D921CCF36F4169E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559257Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:18.084{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=06FF7A00358335C369E6C8CE249E8581,SHA256=EBEF42A6E45BFFAAACAA813A48F5757A50825D864AA983B77D577811E1D760AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465417Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:17.610{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-59522-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001465416Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:17.309{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51670-false10.0.1.12-8089- 354300x80000000000000001465415Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:16.532{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-52666-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001465414Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:19.628{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A06FEAB140E38347A8AEEDCDBADA5AB,SHA256=A03B3FD27849FBD1E910E4B52D3FF8A108C038278A97053AE2B7B10504CF2E93,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559265Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:17.496{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65287-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001559264Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:17.423{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-15940-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001559263Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:19.209{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4757A0FAC4A2A3B95688A6ED3A585907,SHA256=064510C9044092D875B57436B7FC3BE1941AB5FD70E49347129082CB7D006EEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559262Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:19.209{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E16F64BB2B40E7ECB7AF391A8861426B,SHA256=9968412279CEFA390C0F3BC125A8D1A0ACF9BFC49263DBA125D14809F92523C6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465420Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:18.780{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-7640-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001465419Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:20.644{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1DE724ECD68AD2133B452311E25BD62,SHA256=510C6D0220C7C98917EB10ECE6BEFCB4CAE5116ABF02FC745B53C85A5FD584C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559268Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:18.564{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-23037-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001559267Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:20.380{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4C22E2496E1267757EB7B62D30F41838,SHA256=7F519257D2108E1071AC090D4F9E681E5088C8EE934E8F1088D9F516C8288A52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559266Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:20.209{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4F8EE595812ED7E97FFCDBDD44CF8A6,SHA256=4C499C21F6BA8143935F400B7C096B1D34A1807774567C840577CD6E06C43BBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465418Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:20.128{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF517180AF2A36DC71A9ED88A21F6FA0,SHA256=8D92A7E05FF47201397FA099B7E09D591930F5A75E37ECFCC6D03A4DC429DF91,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465423Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:19.873{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-14685-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001465422Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:21.659{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=719C92C5D18BDF9B245D329F30F7ECED,SHA256=0F6B803AEEF0FDF38B6D4803E9CC7F24011EF9D10F4930C825EB882816CF8A5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559270Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:21.709{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=291E635584A77313427B811524C0B402,SHA256=1B8F605C9ADBFDF8DC4E7A17C0BCBBDE211F2542B4CEA41CBF7C0FD614B975D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559269Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:21.209{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7272C3156791108C1D2B954D9400272,SHA256=7B9EB963DEEE397FD76CC3D6188A4946F1E58A026BA608E1D0EB23C903C68A63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465421Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:21.269{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CE70806D2467C1A0BB9EC28D96E48B2A,SHA256=E4F328C32E1D98F0F43BA6873532C810AAD2B56660C6A5B0C16B256FB500DB6B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465427Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:20.997{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-21766-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001465426Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:20.745{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51671-false10.0.1.12-8000- 23542300x80000000000000001465425Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:22.706{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DFFBFD33AB23A21FE1CB0A574D733BC,SHA256=868AD3AC0D2912D95D47C6F988E04F1D7CF29E77D9F962AFED67F5EBA2993FFA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559274Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:20.273{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-23084-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559273Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:19.798{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-30377-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001559272Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:22.787{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=333E02C0A94D55648109715CB500A283,SHA256=90E11C0C09912386F0109137D5F5A2D2E6B67DA67E1A4ADFAAE0DA815E88EFF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559271Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:22.209{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A245956A45F0F939B2ECFCC17C364E1B,SHA256=336420B0D173E4F244E57EB6CD91A20848A573AFC27437AB7DA67FD4CA1709F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465424Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:22.394{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3BA28F5786F1C8CC736EAD5400277E8F,SHA256=A740DB26E2CBDB8DF33CC550D0695DD01667E0AD2D5BEA1097BAF91C1FB9D2B6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465430Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:22.110{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-28920-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001465429Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:23.722{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=711656D1EC8A2E47BC57E21F742986E6,SHA256=7FE7EDBCF2595EA9C44A6017826EED494D1DE1A504DD8A6BF753CDC44B25ADDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559276Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:23.912{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=598BF450B305BC2A99E3F0EECF6BFE28,SHA256=897A38472B6B0D13330C3788DE7D469516EE825B7B30D44B2109571596229ABF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559275Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:23.209{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FA8CAE7CA9879AFE495399B8D7EAA01,SHA256=17D5EBBBC1681834B79E0916F0AA26FE9BAE4236818C317CC86018A7946521EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465428Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:23.472{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8531AC7FEFE7CF3F4B5D21CA03171793,SHA256=2C189245242086A5A2B5036E69D80E09D79B52EEAD1B7567F6F167B466CBEFA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465432Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:24.753{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0332E3DAA8F313C7260E227BAA146BE,SHA256=E7185DDDB84E71F5BAB5E541F01923CE20313A4A2A17B77AAF87662962860B67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559279Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:24.974{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B9665CCBE4A8C20E03C10B1EAC46DC41,SHA256=96ECEAAAEE7DC9BAB0526C5DC31521ABCF6C624FE53349E2188EF8E6DBF71CDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559278Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:24.209{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09684C6E2743419AD80B95FA95374895,SHA256=0BC4F6EE6E3EA3459470AB733D6502398F8B906E3937B7D6177A334F6DD65243,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465431Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:24.612{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7009B635712E081D7BA9BA0503E1BCD2,SHA256=349E45F5D637A8191E9ED962FB98922854096874A3B52EB1D4FE84210CB69B29,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559277Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:21.048{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-38032-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001465434Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:25.769{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=441CFBB13D942B5D2808AB9E999467A4,SHA256=0B1A74F16C96A27C9374CDADC722D8533258DA565E064CFEF8831861790B539D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559284Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:23.267{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-52290-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001559283Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:25.209{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B497EB4BD49793A589392FC79C795B76,SHA256=58755B026B64B0AD39F863FBA21202789ED6E0D76C2486AFE325C992D7E3B7D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465433Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:25.737{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F71C800BA5251C25A38E1E785E27F8C8,SHA256=E547DE346F88C94926DD07D05BC2E004EF2204644060491D467072E94F4C1FF9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559282Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:22.528{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65288-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001559281Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:22.407{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-36559-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559280Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:22.141{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-45084-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001465450Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:26.816{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=140D64E08871CCC21A9FE8DB8703E290,SHA256=D7033FCF199631B87D87952D3A5DABF37631B1DD26CA7D0C92BED4B1DCA00D6B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001465449Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:26.816{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-3D72-6154-E404-00000000FE01}2320C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001465448Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:26.816{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E27010B5DB7C8A6AD767512A5C2C9E2,SHA256=9F1728A0DACFF9C486673318F0D9CC119F250A200FB6D97262D1AA9AA8280DD7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001465447Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:26.816{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465446Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:26.816{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465445Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:26.816{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465444Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:26.816{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465443Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:26.816{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465442Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:26.816{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465441Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:26.816{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465440Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:26.816{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465439Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:26.816{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465438Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:26.816{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-3D72-6154-E404-00000000FE01}2320C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001465437Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:26.816{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-3D72-6154-E404-00000000FE01}2320C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001465436Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:26.816{69CF5F33-3D72-6154-E404-00000000FE01}2320C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001559286Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:26.209{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C0205DF4481E371B9C37DA195F41FAE,SHA256=C2B25F29E7C4916FE6AED8433631F32039BDF0379B58A59EB916FA611A67D455,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465435Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:23.205{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-35665-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001559285Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:26.115{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DFA578BB1773BB501B68E1158A3D0774,SHA256=52EEDD9137529A5B2B883F133D2CBC7D7A8AA3756E497BE9F859E3093D09015F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465468Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:25.886{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51672-false10.0.1.12-8000- 23542300x80000000000000001465467Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:27.847{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=65D3384535FB22ED122F18BFF5FF4DF9,SHA256=AFBAB9FEBC9AC35D1EE551D7AC733D9B7B783F19875E0D24A14EC27E2343F51A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559288Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:27.240{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1AF1EED3FD46AD1D7DB6D20EF4E7A14B,SHA256=D4CC654F1C4D7FFF63DC4B4ED9AB443D08492B481130916D3CFE47773EAAA8D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559287Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:27.209{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C25FFB4BECFC162758A6F44310A4575,SHA256=802D46705C6E21CC73A6B4BE8CB990CEEF2DDB031AD0D331E062C7FDD42B10C7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001465466Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:27.691{69CF5F33-3D73-6154-E504-00000000FE01}15283360C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465465Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:27.487{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-3D73-6154-E504-00000000FE01}1528C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465464Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:27.487{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465463Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:27.487{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465462Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:27.487{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465461Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:27.487{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465460Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:27.487{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465459Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:27.487{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465458Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:27.487{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465457Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:27.487{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465456Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:27.487{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465455Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:27.487{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-3D73-6154-E504-00000000FE01}1528C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001465454Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:27.487{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-3D73-6154-E504-00000000FE01}1528C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001465453Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:27.488{69CF5F33-3D73-6154-E504-00000000FE01}1528C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001465452Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:25.454{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-49995-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001465451Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:24.345{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-42750-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001465471Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:26.551{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-56804-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001465470Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:28.863{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53E4EE116081249266EA41248FEA0B33,SHA256=9D492ACF60E282E071810E356B9D0E302B81944BA0DEE6A5A86334AE49DAF2C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559293Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:28.396{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=15D00E8A9E541EB0885020D862FB7C33,SHA256=7558924250A490EEDA1E24793837DCBE21E30D16E830F89F580B8AD0B82C85B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559292Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:28.209{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=979912B83D5A1449933BE6FE4064A8AA,SHA256=D35ACD26113F9BAE6F8179994E6E53C219750542F44F0F03710324655C889342,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465469Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:28.300{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECA4B8EA83D8FE2767445EEAFC8BA136,SHA256=EF54B51A0AB4F90934C49C7B448EB5CC34AD74776C17698741364B2CD35DD8CA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559291Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:25.470{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-7022-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559290Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:25.319{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-51010-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559289Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:24.377{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-59303-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001465486Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:29.878{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E07AB088C9498D29659693045EAB3DDF,SHA256=6BE34FA0A2A8C35AEE13D61DDEBCF55C6AC091C8ACFB4C58ED4C9349C090E649,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559295Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:29.507{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE7476C9628EEA57E48D8EED4FD5B5FE,SHA256=70D8CAB43CDF9D4646F0F5A51F01FC9E46F33BDE4F8901FE681DCFC94274094D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559294Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:29.210{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42217610B8BCBADB5DE1308B80010583,SHA256=C068C40C7442A703DFE7D0E650BE4E38A5B4806765D80C958B47508DE7DEC96D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001465485Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:29.629{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-3D75-6154-E604-00000000FE01}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465484Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:29.629{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465483Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:29.629{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465482Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:29.629{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465481Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:29.629{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465480Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:29.629{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465479Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:29.629{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465478Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:29.629{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465477Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:29.629{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465476Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:29.629{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465475Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:29.629{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-3D75-6154-E604-00000000FE01}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001465474Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:29.629{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-3D75-6154-E604-00000000FE01}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001465473Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:29.630{69CF5F33-3D75-6154-E604-00000000FE01}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001465472Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:29.128{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3AC8FFD1104B70E04649BAC6191C9F34,SHA256=FC895BB37C90E6F3236D94ACB7D5CE499427C10A6033A500A41DD167CD51A999,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465488Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:30.894{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF87405DBCF3749218FDAAE546AC1064,SHA256=F7D84D63E3011A5B6910ABC8DA95F2686F77274692D0D3EC829A665A696B459E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559300Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:30.632{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=57799006826E5C99852DD01C910AB65C,SHA256=699B528ECE4902A07D645F46EE5A1C8F0680697BC39A30497CB4F657788C382A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559299Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:28.451{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65289-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001559298Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:27.748{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-21151-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559297Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:26.594{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-13932-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001559296Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:30.210{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A429DE2FDFC4AA0FB35D17789580EAB7,SHA256=D5CD24DF71D3C135E570046E10BE1F6E2012DC3E87F8296AE37C296494048740,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465487Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:30.207{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=35D62254376758694A06B344ABECBDC7,SHA256=63D84567AB55D9BAE3F90A7805C97B6DBB422D15F8CD827A2BEC44A6425DE11F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465492Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:31.910{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCB8810CD1027E4AF25A09A0C07CBF8F,SHA256=A72A7251A8479E38EF7FC9D576335DDAF1404E66B91AC604B7B388D365AA7042,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559303Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:31.710{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F38C87E7B0317D02E1E8AE79F84154E6,SHA256=23294BF05F0E9852093648736BA1FE901F1A5CBC5CFD099D902489A6843D7AC2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559302Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:28.883{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-28173-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001559301Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:31.210{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A57A1F080FF13058DE8820B8402BEDD,SHA256=154B648DC1EC8A0A3AE970F872CB6F1BB322A6268AF2E673FC5C65B10CD91952,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465491Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:31.284{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EB3922B7D5660E67F5BF5EEE876569DA,SHA256=38473330C1EABB0F44EF39F89AA5BB2ACF52C3350F0F782CA736FBB59443346E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465490Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:28.844{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-12090-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001465489Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:27.739{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-5371-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001465495Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:32.925{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7ADCED25643006FA70427C11854CA38,SHA256=27D372C3893731F0DF852E334D6F89CE89FBFF20F8DC693315E3CAF6820E009A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559306Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:32.836{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=43E7446AE4BB2DF76EEFCE5244D177D8,SHA256=9144772204ED18A7292EE9EDA17AEBA70A68370A1129D8B681F6F33C085BB751,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559305Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:29.312{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-16694-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001559304Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:32.210{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09DB2DAF5FA83B0AF76CEC719618DA94,SHA256=55B22952D0B91317B2670FEE7BFCE061EBCF140D26E26FD1A2CE4DB5432894B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465494Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:32.347{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DD60C74BAC81CE55FC316846A14D6FE9,SHA256=94764C04D4A85AFD742C16B460724B076243248F9F2D50C4AD9845EED12ECBCB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465493Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:29.923{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-19010-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001465498Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:33.972{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9736ED70A44B47BBB4A54022EBF31EFE,SHA256=46306C90F16114AE35490EE70C7EFEC00DA44051964C1F7E8661D5089C17D744,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559309Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:31.065{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-41615-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559308Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:29.972{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-34980-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001559307Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:33.210{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=834A6A726297BC285139EE714801CB9F,SHA256=0EC65DB5AEBE9E131288A7927C91A6989C8461C55325AC3250DAB6FACCD113DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465497Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:33.441{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=25EA2939B429877313454DF7F173B5D6,SHA256=A72CEB0C4F1DE8396751349EC9A90654C63E7432D0D32E0674E3AB4E31984986,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465496Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:31.000{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-25741-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001465501Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:34.988{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C08A475D10986A5C9B1C71D2BD3C7BAD,SHA256=BBC86238B71EE7CEED5DF18C4988F921C45108F149CC37C933EF5A8A18A25905,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559312Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:34.460{5EBD8912-18AC-6154-1100-00000000FE01}444NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=006BACC691CBAF12ED8EC129D655D7A1,SHA256=C8877B303095AC7DD55AA6B92E0A984CD51A53B9EF936FA161C2980E022CAF82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559311Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:34.210{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CA3515B7D14668EAB9C51660872244B,SHA256=443B64B2846B3756E1133D43A7DC928551FB699C1AC85376E27CC969A5D7D273,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465500Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:34.566{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=742698B9E39F6A7A742AD1414E8DF735,SHA256=906AB233EB31FF0F01D7E7118F33067AA4CF4B68B572A3A2DDA34922E0E7CF22,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465499Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:31.870{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51673-false10.0.1.12-8000- 23542300x80000000000000001559310Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:34.164{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DF12C505CAACCD118A07D7A8EFCE7DE0,SHA256=DF751ABDC8ADF6F661AC37243D3E0F3EBD8FBDF503F0C9A636593FB0413B36DC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559317Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:33.312{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-55768-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559316Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:33.015{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-42982-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559315Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:32.187{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-48393-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001559314Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:35.460{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7DA681284C982F106856F12BCA1C7F50,SHA256=D137D70A2E180E86DA818D6BD51D16780342F9D4F6E9874F1F9C7E7B9C86B18F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559313Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:35.210{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5738BABCC497017668C54348A3FF4664,SHA256=943C8E942EFE0C562AF1860DC822C53826FC89DB9B3CFB273ED6AE7D9777A064,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465504Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:35.691{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FD906120B3DB1BDCCFB85EC4C159D8BC,SHA256=7EB6686B52B2D8BBDFB7C569A3591FEE671649D7AD37278BAF9F374CEE5A94A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465503Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:33.172{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-39421-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001465502Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:32.078{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-32572-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001559322Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:34.420{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65290-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001559321Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:34.409{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-3641-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559320Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:34.017{5EBD8912-1892-6154-0100-00000000FE01}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-138netbios-dgmfalse10.0.1.14win-dc-429.attackrange.local138netbios-dgm 354300x80000000000000001559319Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:34.017{5EBD8912-1892-6154-0100-00000000FE01}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-429.attackrange.local138netbios-dgmfalse10.0.1.255-138netbios-dgm 23542300x80000000000000001559318Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:36.210{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D375D064A2F46464CB3D60ABB4E0BC5B,SHA256=3CCF591553BB69A4E54420C4FBB100E1FB8E162A188A51ABF0ABB6A11AB3687B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465506Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:36.816{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7B42A0D4CD91EFB23AF24C32FE4A695B,SHA256=16E7CCA9D73FAFEAB2515BE07692E0B4E190EEC4A84CF119C387FA542F5B84AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465505Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:36.003{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA3EF7EEA8EECF9D43EF63CE597B93A5,SHA256=BF1423154734C81796BA57C5FA5299BB4E279B10354A2A673546CCA361C8A95B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559326Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:35.518{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-10464-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559325Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:35.156{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-57062-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001559324Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:37.273{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=26E35797B99890B18AC4A19FBE1D8838,SHA256=C6C91B6206AF551CA0B1E7F6A4AD8C1938AD745CFB8D600EE9C1F734A962915B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559323Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:37.211{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=417FB9CD0C6AC6BC0119F8E5CFEFECCE,SHA256=3FA2F99749C6B51824F5D2529DFC9AF322002B6216A2A9766E6AB562D6656DBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465510Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:37.925{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C024BB4116F87B3FB8202F8CA3323841,SHA256=D06A16F9EB243ED25E653C1F9C345E44F0E9B00BCC82827094B0C55B6525E656,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465509Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:35.419{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-53589-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001465508Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:34.296{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-46672-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001465507Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:37.019{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33AA356561F67325CC3847ED1A30B383,SHA256=EB3A99B1FA6BB439D4CDD644F56A63E28ADC96C4BC7CC055A1E6A3396B35B4F0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559329Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:36.628{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-17547-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001559328Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:38.398{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=797B987377D1EBE437D3483DC3AE2289,SHA256=06C93B4D5E829E9AF4454481BE982D00069F750C3B824D67E5592B2FD69E215C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559327Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:38.211{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C06C39C17C5B9564FEDB809181CB46D6,SHA256=77DD1D9960886A8AD77A0C156D7BC4D9250C7D824711FE46019ED1BA94C53F82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465513Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:38.988{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=665D652560F4B622FC36DB6D764DE9B5,SHA256=63F192E9BB6E1DBCAC21EC945ED496B234768015D44E8B1A278400A56BE98621,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465512Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:36.536{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-1545-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001465511Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:38.128{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C07EB0BE327A1B2DEEEEB31002D58139,SHA256=E0B7C8D964D01CE958202FF07FAE3241C6960EF4868D8764AD5E131801CB9CB7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465515Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:37.641{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-8736-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001465514Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:39.191{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BC969EC2BDFF12E293272A988273CB3,SHA256=7609ADCDEDF765C7E7E673255B1A0D3E568170FB945F9FE15A2F5D1D9B8A0672,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559332Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:37.245{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-10971-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001559331Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:39.507{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=07322DAA01ABAE9F688396C70EB088BF,SHA256=FE79512814093432E418B76734BDE8D7D3C9E926D7A7D534B2BE23F32914B1DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559330Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:39.211{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B32EF877589039482584E42D59834E49,SHA256=B1F91B59EB2275322A2FF165434F72CE11333B52774F909562760B4DAD2CF78A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465518Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:37.823{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51674-false10.0.1.12-8000- 23542300x80000000000000001465517Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:40.206{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD951FCC70B1D6889BFE3768C0337D29,SHA256=5ED17BC90C6D2186719D22098A2EB6DA3B7D5043912A83AC1A9950A783B594D1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559335Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:37.752{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-24665-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001559334Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:40.601{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6BDF3FA0B2F7CB7C3E8675B9A66AB58A,SHA256=8AA7B60E330C3B9A8028B0CF9C01E5F8724FB17DE04382AC9CE0D88DC96ACF36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559333Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:40.211{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=875BE5803F828D3EC32F924865EF6FCB,SHA256=534134C1065D31FA58FF7C8AFB4B24C92F1359C2E40A54E23FA5A62BF12760E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465516Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:40.144{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1372D21E97A28654F62E28BE7FA4BBFC,SHA256=0977CB599C05CD6C1D17D69247303C05F7955B358C0B875896F3A1A27578325A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465522Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:39.934{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-22852-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001465521Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:38.733{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-15472-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001465520Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:41.331{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7388CC1CF4D58CAD27069E221D20CAC0,SHA256=E44F8F45880CAA8251F71A1A0713261D90E507B74540A3E9927FF30A37CEDE0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465519Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:41.206{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56133907FBF6BE1BF69B55CE6C630E75,SHA256=337D8AF1CA05173B811C5935592577CE4298E317A570161B64C6615B7773E9B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559341Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:41.679{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6A43A963E15A726CCFF02549DC97DA69,SHA256=42775CEAC465A6CD595C6C97A9F847ECC11C224D83EE5E696D15C8A6BE9172AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559340Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:39.483{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65291-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001559339Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:39.444{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-24847-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559338Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:38.863{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-31324-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001559337Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:41.448{5EBD8912-18B9-6154-2800-00000000FE01}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210929074147-152MD5=A9A42281E5AC80C7384A9CB787C868D0,SHA256=3FA67950307563E8508E097058F58FAD833FFA00CAA097776E12802F7A654FF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559336Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:41.212{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C684C304E8C21C50B8F88293A226494,SHA256=9BEDF62BFC37394EBA06315353322E12595E014BD9CE105B195AAA30EE269D00,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001465552Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:42.910{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-3D82-6154-E804-00000000FE01}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465551Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:42.910{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465550Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:42.910{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465549Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:42.910{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465548Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:42.910{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465547Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:42.910{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465546Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:42.910{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465545Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:42.910{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465544Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:42.910{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465543Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:42.910{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465542Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:42.910{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-3D82-6154-E804-00000000FE01}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001465541Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:42.910{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-3D82-6154-E804-00000000FE01}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001465540Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:42.910{69CF5F33-3D82-6154-E804-00000000FE01}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001465539Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:41.047{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-29816-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001465538Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:42.425{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=39EAAE047C3FE6C5F58EA56074696010,SHA256=9A8A4604CA3EB2C211C90AEAB3CC1FBB0EA1235FB46BC23EBE9F74F16DF08CEB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001465537Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:42.425{69CF5F33-3D82-6154-E704-00000000FE01}39241516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001465536Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:42.347{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18152B6D47541C2FA65DDBE045CE4502,SHA256=AFE83F0917BCCCA1C2529AF8E4D7B82D675BE14DD8579AE7FA9C853C824011BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559345Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:42.760{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7AD3101B80A47F7689785177CE99E8B3,SHA256=BA7E574C6C45380C4CDC80700A16B39647AA843D84DCE9EF02979E8BC8E22EFD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559344Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:39.940{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-38346-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001559343Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:42.462{5EBD8912-18B9-6154-2800-00000000FE01}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210929074145-153MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559342Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:42.226{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77D712C29C5E7216D75B1BEE77ED56CF,SHA256=81678A06E1FE485E339C25A037F6740A1EB2EA1D929D3A055ED2B5BD9FD2389B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001465535Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:42.238{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-3D82-6154-E704-00000000FE01}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465534Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:42.238{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465533Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:42.238{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465532Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:42.238{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465531Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:42.238{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465530Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:42.238{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465529Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:42.238{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465528Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:42.238{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465527Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:42.238{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465526Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:42.238{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465525Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:42.238{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-3D82-6154-E704-00000000FE01}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001465524Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:42.238{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-3D82-6154-E704-00000000FE01}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001465523Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:42.238{69CF5F33-3D82-6154-E704-00000000FE01}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001465569Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:43.597{69CF5F33-3D83-6154-E904-00000000FE01}1208720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001465568Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:43.535{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=07BF06593C10F33280F45BE6F89677E3,SHA256=29907B6E3CB010A309B6B0AB472C3773A64C048C606FC8D069A928998DAE16C9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001465567Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:43.410{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-3D83-6154-E904-00000000FE01}1208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465566Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:43.410{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465565Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:43.410{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465564Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:43.410{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465563Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:43.410{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465562Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:43.410{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465561Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:43.410{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465560Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:43.410{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465559Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:43.410{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465558Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:43.410{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465557Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:43.410{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-3D83-6154-E904-00000000FE01}1208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001465556Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:43.410{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-3D83-6154-E904-00000000FE01}1208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001465555Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:43.411{69CF5F33-3D83-6154-E904-00000000FE01}1208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001465554Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:43.347{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56708E43C9A0331853FF7989F4D21D02,SHA256=22F1AFECAFE960D108115873A3BC4CF1D369106A692F1DD1F54A204707D83157,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559348Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:43.856{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=053CEAE94B7796B8BD8FA91BBE00C5EB,SHA256=6DA1A6988A02F36B948B3E5E5CC4F90B337F513886FDCE84FE5E94E00451B826,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559347Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:41.018{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-45211-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001559346Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:43.231{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08726C614B5F9619B88A716B805CC812,SHA256=31DA7CEA0397DE7D5653F22B1C24794758F14841E60BFA46B80410938A67C56A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001465553Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:43.194{69CF5F33-3D82-6154-E804-00000000FE01}13163076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001465584Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:42.143{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-36832-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001465583Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:44.722{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=920E2D1E5EEA17BA15B50D8F5C3EC6CF,SHA256=2BC30EE6524437E22E7B29481948244E45270A0A0A35BA21524069CD92BA1C6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559352Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:44.982{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=50A947321025A96AAACB5E8218B7BA27,SHA256=5A8191FF7406876911E304429D2152A9592282EB5BAE27CE5767536AA4DACAC0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559351Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:42.262{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-38759-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559350Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:42.099{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-52093-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001559349Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:44.247{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD677E5D0AEC640ACC33B7242C1D9D33,SHA256=5C59AEAEFCA64C6302970F36AFD4079A9E65654A8E070439837744B5750AB3C5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001465582Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:44.082{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-3D84-6154-EA04-00000000FE01}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465581Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:44.082{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465580Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:44.082{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465579Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:44.082{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465578Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:44.082{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465577Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:44.082{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465576Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:44.082{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465575Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:44.082{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465574Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:44.082{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465573Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:44.082{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465572Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:44.082{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-3D84-6154-EA04-00000000FE01}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001465571Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:44.082{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-3D84-6154-EA04-00000000FE01}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001465570Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:44.082{69CF5F33-3D84-6154-EA04-00000000FE01}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001465587Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:43.745{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51675-false10.0.1.12-8000- 23542300x80000000000000001465586Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:45.738{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81D7B02346E0D3E44BEF2876EBBF8818,SHA256=A5400FDFF352E5984C9B71E8F41ADF23FB1DDE8DEF091078034D033311B91360,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559353Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:45.466{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1BB657F8F39630BE616C2D2E6DCC46B,SHA256=69FDEB3821F75CA38CE3CD0204672D182CB61893457F3517D99DFC579D21E312,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465585Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:45.300{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B4C5E1E8E8D9F501EA00B5611499D078,SHA256=F34B72CAFA19DB00A236E25C77F52BFA3FEA82CBFBBCF936EFFA4DF6E3844420,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465588Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:46.769{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EDCBFCDD5C681F9F4AFBE22A0C9B784,SHA256=8682C57C64917E85FBAF9958335897D0CD80723825E659E24BDAA58C9792EA63,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559357Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:44.323{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-7226-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559356Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:43.209{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-58926-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001559355Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:46.544{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7ED6218D1AE1C0E66DE9E2333A56C8E,SHA256=148C965E7F2CE069E35353318CC8EFD662B992C0D3D7AE8A63118B385A602165,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559354Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:46.060{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D9B2129980CA7FA90D4CF308A9E6B8C0,SHA256=06B44BD18B50E0458BBE831BBE8A9FAF19E22AB34762B88AB4B61C0E1102EECA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465589Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:47.785{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9569F6DE09EC70E71769BDC91F92D5C,SHA256=AF824C4ACA4432FB68CB388D2147B1E36497EC52E363FCF7963C11094E85A158,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559360Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:47.700{5EBD8912-18B9-6154-2900-00000000FE01}2960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559359Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:47.544{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F665B4F250EE5EBFF53FDEB05065DD79,SHA256=DC07BCC3E5E669A53B1EA0DF27F394B7CA3DCF6E329ACA21FDE092A550983AA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559358Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:47.185{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5DD7757E8F493AD75C27910E1B805D8A,SHA256=860F0B0303C9632FAB9A001817F255AEA7C2900B9EF9164B89959989E645B16C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465590Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:48.800{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2F367A9A3211C825E27155009692387,SHA256=C830FCF42C9D6A861F5F7A42C68EF57B3716C5ED19BA0BDDA4C9B9A1666C3BC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559367Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:48.591{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B99C76B20BC69E161C884EE7D8C7EE17,SHA256=D55D80F75964D315E3AF2884F93001870C4CACFCA6DA7E26E75F3E078306B9A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001559366Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:48.591{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1500-00000000FE01}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559365Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:48.591{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1500-00000000FE01}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559364Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:48.591{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1500-00000000FE01}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001559363Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:48.278{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7135426415D47DFEA1583A46BB3498B7,SHA256=FF9E3E00F42893466FB2A719CFBF9DB4D409BEBB85AF39C49BB2893AD5CD6B0B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559362Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:45.414{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-13931-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559361Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:45.410{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65292-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001465591Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:49.816{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9474D18C8F745D1533A4FB6DAB1BC1D3,SHA256=D3F0C90472754C55703696885AEBEFB0B741F9658D3AC73F424D1459767E85C5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559372Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:47.004{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65293-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x80000000000000001559371Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:46.524{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-20916-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001559370Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:49.715{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D2D44D612C388B75BF11044F0B7EFDB,SHA256=53F262237DB4C48E689845760807D2365FA9312CF09A3E1D578872BF7E8B90FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559369Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:49.544{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EFC174324F2452C7110FB8EFEF8BC4B1,SHA256=8D922C61665D0CFB3494CC25E422834119BAB60897FFBB7E200F79B883FAF29F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559368Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:46.094{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-4274-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001465592Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:50.832{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB2F25A6D9B3A00EFB591AA252C58A7D,SHA256=DF848F13E1432323D793EE5CABC19EF5878632B621898FC8D437AE72AB9D74DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559374Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:50.715{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61EC9688ACEE05C6BC0DE1352E6B0B54,SHA256=53F2CD9DC2F47A8713FADA5BDDB211AE14D6747044B9F2AAF6AB4C5D1031D1B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559373Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:50.669{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8915B98ED166D667A3965C5BD8030301,SHA256=456622D65434A129E41319289742C76CCA71A33E0E65ABC7DA984048DB83ADEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559378Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:51.794{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8E2ADDC78F720CFFD1B5F476B11D0BF4,SHA256=D20FE2CC9C56737F5AAF8F3E0873CEF13BE38C2969E5CA5D586336F85723CD54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559377Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:51.715{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FB004FEC2398052BDD8CFB38948FC0E,SHA256=285FFF1F7E881B52AAAB0851F34A6901998286BE6BE974DCDBD2E24061EC9486,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465594Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:51.847{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B832E206215C81EA6B3BD351DB39DEC,SHA256=DE039F4AED06D1A9DB77E6C7EA83740E5E37EB24615C5BE794DCF2D49FBB58F7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465593Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:48.917{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51676-false10.0.1.12-8000- 354300x80000000000000001559376Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:48.897{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-35987-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559375Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:47.762{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-28702-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001465595Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:52.863{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BC8897DBAD59998DD0896663E6C11DD,SHA256=D6C484000EE8EBA84C4C744AC7C3441A94E8B88CE3527E1F9313E1AD18C149A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559381Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:52.919{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5E1006AC0DE9CCFD8497D92B69F866A4,SHA256=5B43F48FEDE402AC7BF1BE8906955C6FB72C60A0E00C6D261850817BEB955A4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559380Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:52.840{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88893DB422563010630C6262E6B67C9A,SHA256=4D895D5CA2CA143BD1B0810F3933A9020267C6F055C4F10E2B23AF06DBF941B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559379Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:49.492{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-27874-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001465596Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:53.879{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9590CB13B828DF6A4DC438DDF444AF1,SHA256=8AE4D2F04F0B1391ED92F863DFAD15EB102C01D4164E04A3FF3D97AD349D37FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559385Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:53.841{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F75323DB970A7F937E7BD1DADD9A403,SHA256=53BA877E2DDF9A338E4E21F5C0809D05B7B23E567096B41913AF8184A3976DCA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559384Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:51.145{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-50290-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559383Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:50.441{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65294-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001559382Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:50.022{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-43364-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001465597Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:54.894{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB7E17CF295FB6CD58087D9A3516BCAC,SHA256=811091D95A84C1F38044D598312B8A7A8823F8BB0D39F9BB32585C01705E9DD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559387Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:54.856{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EF163F43C10DC570314252A393225BD,SHA256=62991625226FB9B5A85E8FE48BE7A8644E5E6DA6D5521C64A20B9152A0CAA869,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559386Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:53.997{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3C4FBB7C5D2F32A22DD2E2EDFE7DEF23,SHA256=519FE8848E77648BEE257666C3A1B280B65A6A3D7538AFEE85E35D05DCAB5B72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465598Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:55.910{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30C040CD8EF9F855168CC928C1AF4180,SHA256=87ABC45F4CAD25E54FB1F2E86BE91891BB02EE58E085BB89E08F4CA0FE8E9E89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559392Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:55.872{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0812B1426B3EC3E28389ECF60FDCE47A,SHA256=4093515EAFAD66D41643FA53CE72737076178F7BD38400A2D57C1BD382995A21,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559391Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:53.337{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-5185-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559390Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:52.489{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-42565-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559389Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:52.258{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-57305-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001559388Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:55.075{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=15E19E44EDABD115CECB90331F18F4E8,SHA256=073C5932DCC8E682EE50E17C93ECEECF6A312650647893A0E68049B46711B988,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465599Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:56.926{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AB8F63CB717B7BBD76256DD6DD95185,SHA256=292094BF378B6893CBC8EB9B96AD965C2B010753453AD69EDAB4450BAA10D4D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559402Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:56.872{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07342CCD44D0958FB4D7FDF1EF1C2FAF,SHA256=D2701DFCF30A219ADA02359A1D4E447F7A07E2BDA31458AE857856A6853292C5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001559401Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:56.747{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-3D90-6154-2505-00000000FE01}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559400Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:56.747{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559399Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:56.747{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559398Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:56.747{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559397Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:56.747{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559396Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:56.747{5EBD8912-18A9-6154-0500-00000000FE01}4165172C:\Windows\system32\csrss.exe{5EBD8912-3D90-6154-2505-00000000FE01}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001559395Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:56.747{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-3D90-6154-2505-00000000FE01}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001559394Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:56.747{5EBD8912-3D90-6154-2505-00000000FE01}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001559393Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:56.169{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2C49F821B297144B4B9BC77F7A4BD092,SHA256=623A792537FE18812849F7401DFF4E7D1EBCE1E673E87960A65113149040FEDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465601Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:57.941{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=980C5D3771A7C3FDEADBF3A3B24F0A79,SHA256=F05D8DE583D1C4E573828E14B8CC9ADDBD4206BE07A2A90BF3322C5CB483D577,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559423Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:57.887{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79759C016CEACE0640FD58C4BF767543,SHA256=F83152E41771079E3DBC82ADB1C7C9F343A4722FBCD0AB37791E92D24A3E45DA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465600Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:54.901{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51677-false10.0.1.12-8000- 10341000x80000000000000001559422Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:57.747{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-3D91-6154-2705-00000000FE01}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559421Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:57.747{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559420Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:57.747{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559419Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:57.747{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559418Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:57.747{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559417Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:57.747{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-3D91-6154-2705-00000000FE01}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001559416Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:57.747{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-3D91-6154-2705-00000000FE01}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001559415Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:57.748{5EBD8912-3D91-6154-2705-00000000FE01}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001559414Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:57.309{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=171CE9EA675AD51EB21D3AF544BD37BC,SHA256=6B9315B0D06FBF87CB62B7E28A6037352AA5D1800DA9BE50AB70BA5453D41344,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559413Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:55.472{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65295-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001559412Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:54.428{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-11897-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001559411Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:57.247{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-3D91-6154-2605-00000000FE01}5880C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559410Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:57.247{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559409Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:57.247{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559408Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:57.247{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559407Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:57.247{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559406Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:57.247{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-3D91-6154-2605-00000000FE01}5880C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001559405Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:57.247{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-3D91-6154-2605-00000000FE01}5880C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001559404Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:57.248{5EBD8912-3D91-6154-2605-00000000FE01}5880C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001559403Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:57.044{5EBD8912-3D90-6154-2505-00000000FE01}9644904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001465602Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:58.957{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1492C05C0699DDFB79822464FE86993,SHA256=B2275C93D8B71A3EA9469A242CC3ECE249BCC624B6B0413EEC533D9C29131D24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559425Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:58.403{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C2075909D3DE0C5CA6618B5A2AAD6FEC,SHA256=46AC78FC36669304A0FED0F6E652D4BA6A52AC761A379DAEDFCDADC3FCB7DFA8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559424Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:55.554{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-19139-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001465603Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:18:59.972{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36A4B2A502F8F2690953085A26FC634C,SHA256=CE0CDB67C8B2A474EA09FA31ACB8A173BFFE6EDA0B428A6EE462721E990B4DF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559430Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:59.512{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A2CEA6B060BBF81BAAA25A9CD862F0F9,SHA256=CB1E54199C7EAC51F615B4BF37F4D8DFD310C24A5D2D5CCFFB8B668195D0A610,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559429Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:57.368{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-34013-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559428Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:56.669{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-26174-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559427Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:56.564{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-8240-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001559426Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:59.106{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A740F8007842158B51C6193E51E726D,SHA256=3B4A9F050C59209FFCEAEA93A5F488EC4A68D0426ADCB23E1CA8305770FF64FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465604Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:00.988{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65606CE0F85F82C88AB9BA133BBCB4CE,SHA256=601F674B90747BCBEED71E7686574CD0C6136EC9E953854B367FCDD8E6FDDE43,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001559442Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:00.966{5EBD8912-3D94-6154-2805-00000000FE01}2920720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559441Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:00.762{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-3D94-6154-2805-00000000FE01}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559440Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:00.762{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559439Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:00.762{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559438Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:00.762{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559437Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:00.762{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559436Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:00.762{5EBD8912-18A9-6154-0500-00000000FE01}4165172C:\Windows\system32\csrss.exe{5EBD8912-3D94-6154-2805-00000000FE01}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001559435Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:00.762{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-3D94-6154-2805-00000000FE01}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001559434Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:00.763{5EBD8912-3D94-6154-2805-00000000FE01}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001559433Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:00.591{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D3BCBD2BDE36AAEC3E268FD01F14904D,SHA256=38BDED32F60E49A90FA9CBB212ED359E962F7DBE57EFB8523FB5F04730AD24C4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559432Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:57.392{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-34191-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001559431Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:00.106{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E414EDF4945AA69E00989A49D2458FF5,SHA256=015D7FD05877E5D3C691A255445B035CC6AE3C52D564F05534D1240448337663,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559457Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:01.716{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=88A5C5AFF07E78D39E8CB7D9CA056C38,SHA256=E872E6B109F7DA2E750869BC54E7549872B176421A8E9ADF820316E8E34F5E3E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001559456Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:01.622{5EBD8912-3D95-6154-2905-00000000FE01}53205456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559455Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:01.434{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-3D95-6154-2905-00000000FE01}5320C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559454Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:01.434{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559453Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:01.434{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559452Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:01.434{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559451Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:01.434{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559450Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:01.434{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-3D95-6154-2905-00000000FE01}5320C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001559449Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:01.434{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-3D95-6154-2905-00000000FE01}5320C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001559448Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:01.435{5EBD8912-3D95-6154-2905-00000000FE01}5320C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001559447Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:59.599{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-45346-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559446Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:58.853{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-39808-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559445Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:58.476{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-39818-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559444Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:57.755{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-32801-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001559443Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:01.122{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E88A7730E5B8AF9A06C65D7986343BBA,SHA256=4D8E0F79A8090491A2370E1B5BDD153FBA4565B72B3E75107E12B5A22232FD6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559471Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:02.794{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B7DA40F20BDD588850D8E6852464A60,SHA256=F828F2DB28B3E53DCDF4326372BF47F47BAC8989AA90A3B956EC1364380B8297,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559470Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:00.019{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65296-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001559469Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:00.019{5EBD8912-18B9-6154-2700-00000000FE01}2944C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65296-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001559468Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:18:59.946{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-46556-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001559467Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:02.356{5EBD8912-3D96-6154-2A05-00000000FE01}3140108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001559466Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:02.122{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A76B88C5D8239367A9821505A9F2B0F,SHA256=6B37284638B81C8E931561A3CD6714E4EDA1C7C4AB6DE2505127C33D5C4094E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465607Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:02.754{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=60318AF93DECCC3984F9D50466D4317C,SHA256=D07B7053DF5DFED83E74CFF45910DBB129DD77C75A8875D2551E599C62883650,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465606Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:02.754{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=464AA953BBEB6EE6E147F5B550BBA040,SHA256=F46969626D542D116ACE1D3ADA95CD1467B7914545B1E220A0027C03EE113C70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465605Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:02.019{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47A7A7977DA2EA85222E874C2F11B221,SHA256=5E0B55F621FD8C17BA27666628E06AD25BECAC8B52F34B6B19D4591D83DE2267,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001559465Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:02.107{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-3D96-6154-2A05-00000000FE01}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559464Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:02.107{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559463Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:02.107{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559462Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:02.107{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559461Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:02.107{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559460Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:02.107{5EBD8912-18A9-6154-0500-00000000FE01}4165172C:\Windows\system32\csrss.exe{5EBD8912-3D96-6154-2A05-00000000FE01}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001559459Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:02.107{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-3D96-6154-2A05-00000000FE01}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001559458Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:02.108{5EBD8912-3D96-6154-2A05-00000000FE01}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001465612Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:03.894{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=60318AF93DECCC3984F9D50466D4317C,SHA256=D07B7053DF5DFED83E74CFF45910DBB129DD77C75A8875D2551E599C62883650,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465611Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:03.051{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68A69B534E22C26D3702FEBD0AB00EF1,SHA256=A0C8E9B1BCE487F1520508FF4994BAA1826C92A4A8E6D42F3481A1C3359D39C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465610Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:01.384{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-43532-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001465609Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:01.356{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-43376-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001465608Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:00.854{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51678-false10.0.1.12-8000- 23542300x80000000000000001559486Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:03.872{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=52D6EC8367E85FA30E2740265E9C2B0A,SHA256=85BEFF479E8AB8DCC6EB000F9C1C1B874EA650CCD52C810AAE69D3A85E346882,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559485Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:01.426{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65297-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001559484Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:01.113{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-54251679-false10.0.1.14win-dc-429.attackrange.local49672- 354300x80000000000000001559483Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:01.055{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-53798-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559482Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:00.970{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-40125-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559481Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:00.726{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-51028-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001559480Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:03.466{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-3D97-6154-2B05-00000000FE01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559479Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:03.466{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559478Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:03.466{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559477Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:03.466{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559476Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:03.466{5EBD8912-18AB-6154-0C00-00000000FE01}8524804C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559475Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:03.466{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-3D97-6154-2B05-00000000FE01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001559474Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:03.466{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-3D97-6154-2B05-00000000FE01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001559473Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:03.466{5EBD8912-3D97-6154-2B05-00000000FE01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001559472Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:03.278{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72FDFE3FB0A1279092FFDB3DD94A214D,SHA256=FA3A46D48CD74140D7C278AA3D05F0AC15D08E23039F0C2EB8CD284E0C785E93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465615Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:04.972{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=043189810BE71B658EE92EC3FAFCC3FD,SHA256=F2EB0E211270BC7898704DDE39A748165DB7DDED141DCFA0084605437218F44A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465614Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:04.098{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB15290C5B81A07DB0910D8421A6FC37,SHA256=6AF39C2AA99A9089CB85BFC743780A26BA90CF0FE32D7E4FA3A7C1BDFE66A320,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465613Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:01.439{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51679-false10.0.1.14-49672- 354300x80000000000000001559488Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:01.852{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-56672-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001559487Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:04.278{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3533B00B574F169295F7BDEDF754ADD,SHA256=BF80B0638EF75825DEF5B248E1BD198FC4F0204580D79214EE05E23CC5C5D8EA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465617Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:02.488{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-49564-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001465616Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:05.113{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0258EAFEF3D3631F92053451FA359A3,SHA256=DD4BB72D002519C8E064F1F150EBAF362AC197677BD984E9F7A09D63C0F2CCF4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559493Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:03.013{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-53280-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559492Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:02.975{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-3356-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559491Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:02.135{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-1808-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001559490Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:05.278{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=053D1E510AC95BDA3C276E100AB10387,SHA256=B2F343F23FEB93DB2365CC4B7EBB057E78DDBA79115407585AEB5ED364E83FCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559489Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:04.997{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D21C988CDEDEE547E426D325CB6A483B,SHA256=4B926AD54C9F54338073CD087038A1CE28093375A32173C75AA6797BF3A2EB7D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465621Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:04.699{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-2717-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001465620Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:03.610{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-55409-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001465619Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:06.144{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C8FF37DA5FC97B082F8F78EB9D89BFD,SHA256=273383101505D0539143D10006420C67E448100384204227F62899789E71D53B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559496Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:03.226{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-8391-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001559495Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:06.278{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8F63C913EDE06425BB4EEF4AF5EB9CE,SHA256=6F73F975D51032C1C1CD09F425C3DD0D952D220743EFF363857EFD043502DA19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465618Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:06.082{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=04F2301D5B618FC702DC0D481E3DD3DF,SHA256=74E4A5AC162914B2F0BCAF9201BB75F2ECF6478C5D5B99EB561F2B8664713592,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559494Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:06.122{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FDF9A2B79BB78739895270F8B24792DF,SHA256=0609ECDA83371C119530B5C827DC69659820F65BFA7D186A67246A5526146F97,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559503Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:05.793{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-6922-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559502Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:05.461{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-22438-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559501Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:05.177{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-14524-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559500Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:04.364{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-15493-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559499Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:04.085{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-8920-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001559498Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:07.278{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAFAB13695ACE59DA60548BEC4D0AF11,SHA256=B63F07CCE0FC38E48CA82AB328E16021E438B1989F34ABE1471DC06E7C361AB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465623Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:07.176{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3953B1B6D68B12CC6067724ADFDF37DC,SHA256=C05527C011FD9FEB93DE70DDD7992C7313F20358067C8115487462B456E8348C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465622Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:07.176{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A2D380F2D7969BCA3956B849A7628CB,SHA256=3D54DEA88F6FECEDBA1A8FC4C1E27F170EE2ACC51E442CAD2B5ABB3FB077D669,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559497Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:07.200{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=96CE775A238B2627B303BABBE3277670,SHA256=19B417A8BEC9A3215DA4F70F63B003488310C441B598420EFFE130D0241C151D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559505Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:08.325{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=69CE6F953C7BD118BC127988D1AFA780,SHA256=873470F70252898793898F74DBF0BEEE283E3403440F6F653F52F302B33B0DBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559504Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:08.278{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CB79EB0F2BD3FF22130EB3B31F08CDF,SHA256=9F3294996BC8B1B9E0F8B6617171F852DABA9A764C781274018C2C33416C74D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465626Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:08.301{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=752DD591CF05FC59F76F6AA3456A30FF,SHA256=4C0197167B0FF3B02656ED93A85FBD96F5AD1BA4088E416AEFA3DAD368D77D1E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465625Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:05.797{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-9004-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001465624Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:08.191{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6877A38A30E65641EAB414DDE7115A1A,SHA256=89891B10150869E5DFC247F8DF8B53ABF4F51FA5FF88C96A2B9109BB6CBC6EC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559510Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:09.444{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8FC77A5B8E02EACC8FFC05F12A542369,SHA256=B2519A49D9C5BFAA40454651415E63ACA600F16FE0ABCD446F635804FFDB0AD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559509Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:09.288{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B7D6D9A9D99140427AA71CD3ED3A686,SHA256=FDDEDE0EC2581AD1F3C38E534A2988DC5FC024BE9FFBBF81B136CD599C3B909E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465630Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:09.426{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F181FA7EF6D341D76C23E957DAC93905,SHA256=0190ADA7B5D24A2477447034DCDB0EF830C72FAE390BA8185282699BC7042DE2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465629Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:06.904{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-15117-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001465628Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:06.776{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51680-false10.0.1.12-8000- 23542300x80000000000000001465627Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:09.223{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=831F5A9B3AF135595A88034563E26EF8,SHA256=9890D303EE92CF3683D33A620BCC4A68B892D499F41F13084E0EB70E99DE4CD9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559508Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:06.583{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-29488-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559507Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:06.457{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65298-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001559506Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:06.321{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-20369-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001465633Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:10.504{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=85D115824787B7CBEE7A7A489232B17F,SHA256=C31BAF4CFD799C1BF2DD9817CF982862610FBF4582192F531366DC6C32F22FFF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465632Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:08.037{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-21094-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001465631Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:10.223{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DA2323CD14BB2AC2B4E71A0790D8947,SHA256=3EF95E979EF831AC44968682F70F3D11BC512E2B880C42444664558146FD1C92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559514Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:10.569{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0AA559984A60456597669C3CD64BA386,SHA256=0551F83863965EECEB22DAC49E572073B320B4A4F1CEF5EB3B74E78908D09AEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559513Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:10.288{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DBFADC6A36CE98DD10530C32B0A5BFD,SHA256=BC07313A179C4F55E7AEC4BF16499208AA8641BBEC773717D3488E251607288D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559512Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:07.679{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-36332-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559511Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:07.414{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-25710-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001465636Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:11.568{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FD08C841E4234DBF9FE1868D8B565C9C,SHA256=61DEA7303B591558264863D143F9BCD45F3A8189687A24763827D236DDF1ED8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465635Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:11.524{69CF5F33-189A-6154-1B00-00000000FE01}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210929074117-153MD5=0702FCA431B00B594F1E453E1BACB4E7,SHA256=E8701800C5303E9A26BD1B4295F1925FD873002633D318A1D6DD61AA6CF56A5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465634Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:11.272{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C1CB67564F84AF936EFEA2AEC0AA121,SHA256=CF84E9BB570E5EA9DFED93CF418ABD2E43CCF6841E1421056ADFFE1CF3538C86,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559520Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:09.642{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-36977-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559519Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:09.249{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-32540-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001559518Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:11.601{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=40E80E002FE7D081084B7B5BEDFF236B,SHA256=41B1C0548939AFCFBD82D4D28C60684A225E4B2199FF73DA6FF63EDC86ACCF27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559517Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:11.304{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67ADFA9070334F9B1632D920906B9288,SHA256=69F3AA9DFA4136D786CF79FAB2B11803D00F7314D0C697971F99337B96DB6B8D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559516Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:08.798{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-43528-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559515Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:08.546{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-31507-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001465641Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:12.707{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A53416B97BF67EB41F5DC82AF9114B49,SHA256=A5A4A548DD2B6621B6A004F880ECCD232FE5B5CCE0265E761A1FBFE43FD648C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465640Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:12.538{69CF5F33-189A-6154-1B00-00000000FE01}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210929074115-154MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465639Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:10.220{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-33599-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001465638Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:09.141{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-27499-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001465637Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:12.303{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=559896443FE23697A6D3009F4D76DC72,SHA256=C5C2C62B2626DB7A8BFF2FD2BD8C7FC9BD87DEB104DF12A6544EA0FD0BB17582,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559525Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:10.987{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-57724-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559524Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:10.720{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-42421-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559523Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:09.908{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-50677-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001559522Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:12.726{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=02356839F457A19720927A5E17160567,SHA256=A73BF41A79B2C45F7F6AC4A8C4E16522451784499A48B2BD0AB82DE219F08ABA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559521Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:12.304{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=849DC363976C58A957B827DA6DF8850F,SHA256=669B0B1ED8D568FC8885BA3A9D0ECE53D3DB81134706EB3173CEB8A58DC4A03B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559529Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:13.851{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CA5EB177FFECA3EC843E6AE3C73E05F8,SHA256=A358F3192803F639E4D88F686600DEEF65610ADB2E9FCF0CC08E5AA094EE170A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559528Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:11.927{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-45537-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559527Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:11.813{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-47930-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001559526Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:13.304{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B5734178C13E1017327F1B5356C1471,SHA256=9A0F51116AC9C17529C0845C8AFE9AC9C5AC9C89FEF2076741FF51031E641D0C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465644Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:11.950{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51681-false10.0.1.12-8000- 354300x80000000000000001465643Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:11.312{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-39498-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001465642Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:13.320{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACCD18FB45EDD7FF193C221202BD5906,SHA256=2AAEBF0E8EDD264ED175C6F8980A8A6A7C9D9B4BA2BD21CF1EF325976360360D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559531Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:12.081{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-5536-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001559530Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:14.304{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A776BB63C4F587195DD74FB424C75F0,SHA256=3046BF84747ED9DECFCB92FE489546540DF062D97FAA5311DAA04ECBF6712764,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465647Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:12.436{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-45813-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001465646Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:14.367{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12B632D03F79B103368996D78D050E97,SHA256=59FE80233469A7FA42AD65E489C4D126A516B47130EDD322AA6F859F43D54B4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465645Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:14.117{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D29D456238A9E3253CAE342E64E96B73,SHA256=3CEB111BE9B67EEA93B189054422A591E9A868664F7F18921B869D3D779ECB2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465650Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:15.429{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFE94C00A4FA5442072CA4A4F0E5AF7F,SHA256=34543C5A1CE4E53EED2D7D6CD21DA3CEB1CB733822DA59DE1074A198180667B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559544Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:13.412{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-14086-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559543Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:13.389{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-13866-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559542Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:13.353{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-13714-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559541Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:13.331{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-13462-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559540Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:13.293{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-13228-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559539Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:13.258{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-13107-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559538Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:13.236{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-13008-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559537Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:13.214{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-12876-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559536Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:13.191{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-12739-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559535Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:12.942{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-53643-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559534Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:12.420{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65299-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001559533Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:15.585{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=26E99072329F44E35D1D92D95358664B,SHA256=3850DA3D849C7C65BC4FF1DAD613E3D0F9AA2B38232F2328A220648B2A6DD955,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559532Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:15.304{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D6B71C68E0F9570855015FF1AE57D0B,SHA256=813B5CB2566E3BF32857CEA901C68513970CFA8202D88A0E676822D4E515E3B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465649Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:15.226{69CF5F33-1899-6154-1300-00000000FE01}296NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=5319BFDB39B4A39A89568FAC52FF796D,SHA256=335972DA00AE93FDA72C3914A92362B5845284067FDE142A5B5F3A006CC6F4DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465648Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:15.195{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=163336E08A7A5EA59B528709E7C16D8A,SHA256=13B7B597B5399E3BE42DFD24E1E11FB3BC5284E9C983D3512061709E1DCE4B79,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465654Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:14.925{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-59866-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001465653Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:13.832{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-53578-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001465652Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:16.445{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F6AF0670551B4E8179C5B1EF876D709,SHA256=49DE542F8F2AF7EA84EBD66942F14843908EF4FA93264E36A7D558CA0F43C74C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559551Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:14.249{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-59813-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559550Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:14.211{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-59639-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559549Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:14.171{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-59369-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559548Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:14.134{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-59227-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559547Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:14.096{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-59131-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559546Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:13.434{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-14234-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001559545Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:16.304{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90FE89C5DF4E6614A8D731EAB997055A,SHA256=29C208E1BD3D3713B16ACD6923DCB987CA6F94E265975F75A59B9701AF925942,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465651Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:16.320{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4CE46897ABC941D978D6F86A85E67B3D,SHA256=BACFB61E88258FF8E57F123DEC6A5CE6E274C23F61B00AC604407042F2C7801F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465657Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:17.664{69CF5F33-189A-6154-1C00-00000000FE01}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465656Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:17.523{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9B0AB45986638BDB41EE58594D0327F,SHA256=E67D1C507974D62EF3105F413A0FB95B95AB78A746D1BF05CC11D2BE45867929,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559575Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:16.014{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-9588-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559574Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:15.977{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-9483-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559573Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:15.956{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-9283-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559572Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:15.920{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-9205-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559571Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:15.898{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-9048-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559570Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:15.862{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-8921-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559569Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:15.840{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-8813-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559568Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:15.819{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-8632-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559567Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:15.783{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-8419-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559566Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:15.748{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-8303-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559565Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:15.726{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-8108-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559564Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:15.687{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-7928-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559563Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:15.650{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-7759-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559562Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:15.613{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-7566-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559561Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:15.577{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-7464-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559560Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:15.556{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-7370-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559559Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:15.533{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-7257-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559558Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:15.512{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-7125-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559557Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:15.478{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-6922-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559556Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:15.443{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-6751-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559555Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:15.409{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-6590-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559554Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:15.374{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-6403-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559553Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:15.313{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-11338-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001559552Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:17.319{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=016099A544B466C8F2B97F952ABA59E5,SHA256=31476EB4485CE301A326A8268315E209A9E8EC5A07A54EA71761CA3D68CA767B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465655Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:17.398{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE0C4E0ABA9490B5AD20748E77EDBC04,SHA256=38E86F394FA7EBEBE43277560153123F55F3D8EB6BB1914B7C3846C04E4F3D6D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465660Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:16.035{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-7011-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001465659Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:18.554{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09E576FEE5C901237D4DF1BEF6D946E4,SHA256=BCFFC85673A45A4737E4D755AA09953C9661D023E7D7094D0AE5B5FB96A122D7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559605Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:16.785{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-13543-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559604Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:16.763{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-13437-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559603Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:16.742{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-13329-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559602Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:16.720{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-13166-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559601Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:16.684{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-12999-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559600Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:16.650{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-12890-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559599Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:16.629{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-12780-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559598Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:16.607{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-12573-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559597Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:16.573{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-12379-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559596Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:16.536{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-12212-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559595Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:16.503{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-12074-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559594Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:16.481{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-11957-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559593Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:16.459{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-11853-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559592Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:16.437{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-11745-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559591Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:16.416{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-11553-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559590Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:16.382{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-11452-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559589Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:16.360{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-11299-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559588Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:16.339{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-11163-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559587Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:16.317{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-11074-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559586Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:16.296{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-10902-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559585Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:16.294{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-13961-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559584Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:16.262{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-10801-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559583Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:16.240{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-10622-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559582Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:16.205{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-10463-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559581Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:16.168{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-10371-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559580Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:16.146{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-10182-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559579Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:16.108{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-10042-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559578Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:16.073{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-9886-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559577Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:16.035{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-9759-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001559576Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:18.319{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADE045AFF7FC716C9207AF47367316EC,SHA256=1B01A41A513B311236B501D9D1EC9A81235C43618894E2F35E732630A311C894,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465658Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:18.476{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D006585CC3104320560F53FDC508DC77,SHA256=F39603C2DA72ABC58F3FAEFFA6B62D6015422091A3FACC3E711D87F25F2AD29D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465664Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:17.347{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51682-false10.0.1.12-8089- 354300x80000000000000001465663Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:17.114{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-13033-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001465662Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:19.601{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E185DCAC015C26EA54E16C015C44D35B,SHA256=5A763ED440D5F9BD9F9122A9F2837B9BD5523FBEEC156B2EF29877857699E23A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465661Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:19.570{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42D5BC21C0A06B62FC2B28B5D602C3CB,SHA256=31AC98B20C61AABE84569FC9F3BB33CE347F00281234F68FF282DE8B298EE61A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559608Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:17.467{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65300-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001559607Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:17.267{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-20055-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001559606Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:19.757{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBBEBBA4CD86626E71D7C986EB1088A6,SHA256=F6B8897241F84AF4FFC85D7A94A95FB50224478D41DB0EF852C6D659D306ABD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559611Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:20.991{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B87DA25B6FCFDCF8580ABD58A8C83369,SHA256=4FB64704FF1E4354A1B03D5A2B934EFC73BB4686B4B9FFDC8571D9A94E15F598,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559610Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:20.991{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8A1050927E0C59404128A028C7EE75D4,SHA256=0E9AD7B4BD55C7E665DDE0420B928D4E9DC589F34427EB58A2D06227B61FDEA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559609Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:20.882{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E837809BF9BC4753055ADB186910DEBA,SHA256=49FEE3F2870A9ACE761528DB8A9644E6AF0375EBF3A0D05720B9A87277B0087F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465668Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:18.206{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-19121-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001465667Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:17.935{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51683-false10.0.1.12-8000- 23542300x80000000000000001465666Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:20.726{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B26FD813F06141A94B4C25FE3E1D002E,SHA256=3029BFFB372EF5C92C4C975EBAD0EFD9ABB98CA76B5B8E6A14867260CFBAE92D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465665Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:20.586{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B2147CF2F16D57888B4E0139C2D6316,SHA256=B906F726CBF27CF05DEF4AE62706C15AA7A679CD30B4821557FBDE1DF805D60E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465671Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:21.851{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5D52C54D0B2E08EDB8E33B13572BFF1F,SHA256=70187585772C86C88F36C56EB11B335035E829D5FD4ED48AA25A88998D8E5454,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465670Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:21.617{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=796C8C2F80D84220E3741E5ECBACD5E6,SHA256=10A46D781711B936E78D56D341764E1FB537AC60020BA0B467461249E1BC6C3A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465669Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:19.344{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-25119-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001465674Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:22.976{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=53EC3A070454D8F1663A3D17134F2DD5,SHA256=D1A81E12FA933B8E150DA8AFDD31C8B308DF7A72CF705C89664BB67488EB9075,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465673Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:22.648{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64DF78FEDED3D70EF2371B87982395DC,SHA256=C9FAFDAAC2628FDEED77A6456973AC8BEBA2F8D054B3046594B6BE87855112AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559612Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:22.116{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5696C8F5921A42D8B598A7CCDACFAA6,SHA256=25EBA09F9C397724983616512EB39B6002AC0961F3FC9A83FB504554BF379E6B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465672Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:20.471{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-31343-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001465676Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:23.679{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F253332C3C7AC327535C7350660704AB,SHA256=52F3DA37238C8624FED843847B2602146BC5F772428BFDC523507C03D8ED6446,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559613Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:23.148{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3617B74BFE6D045283657291644D42C1,SHA256=57EAE701A2943658B51774230149F57ACE64498C1B5E270909F60660347CF5AB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465675Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:21.581{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-37580-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001465678Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:24.711{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57153721C954D0E9B6CD870E50C3897B,SHA256=E86DBAD7FF0B4884A7E838232AF04B2C2331678FC98A98B598B929CAEBFBFC91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559616Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:24.960{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B87DA25B6FCFDCF8580ABD58A8C83369,SHA256=4FB64704FF1E4354A1B03D5A2B934EFC73BB4686B4B9FFDC8571D9A94E15F598,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559615Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:21.310{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-44991-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001559614Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:24.241{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=248C6B902487703F128624B5C28E6E1F,SHA256=20286041B4AE96754BBE7B3A03DAF87E9D76A8EA420DF9CF221DC8CBF66A2FD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465677Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:24.101{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AD3258A4A779EBD8F49DBF3D4FF7202F,SHA256=D240AFBE202F094B3E599AB01818DAB3A2AEA7A1E4B4F4264EA7AE3819FB95A0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465682Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:23.810{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51684-false10.0.1.12-8000- 354300x80000000000000001465681Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:22.703{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-43924-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001465680Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:25.726{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E40497F6F512ABBCF8ACED2B73CAD73,SHA256=0AFC78FC9F1AA6DF07874681CB45161A8EDA737E62F869475B561ACF90A875BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559618Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:22.482{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65301-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001559617Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:25.257{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F234C357C1A81BA26F867DA8A72B26C8,SHA256=7318C6D2F5CC1F8A43A253812E9D8DCE82BE5EAAC120C29E34BECE4C14CA976C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465679Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:25.398{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A2B70831C07A91D57F33E01023C00E90,SHA256=A35A1F54243F562439ED2AB8FA7F25DAE9861F41B1399418136648D4C980A377,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465698Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:23.995{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-51292-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001465697Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:26.820{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-3DAE-6154-EB04-00000000FE01}1200C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465696Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:26.820{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465695Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:26.820{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465694Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:26.820{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465693Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:26.820{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465692Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:26.820{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465691Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:26.820{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465690Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:26.820{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465689Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:26.820{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465688Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:26.820{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465687Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:26.820{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-3DAE-6154-EB04-00000000FE01}1200C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001465686Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:26.820{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-3DAE-6154-EB04-00000000FE01}1200C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001465685Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:26.821{69CF5F33-3DAE-6154-EB04-00000000FE01}1200C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001465684Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:26.742{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C20360419156025AB07CC4CC6AA512D,SHA256=28307F9F076DE98AC46144523887BCF0312A614D1ED30BD2775A63DD29945034,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559619Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:26.257{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDFE40A5AB600248DDAF50C9C1CF4E63,SHA256=5E665E207A5910D121A9394B6BE99E2360245165CBF2B20E948EA4455857B447,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465683Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:26.523{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9920F66E4FE3E86AB8CB8EFF7FB03C70,SHA256=567BDBFF2C4E3D164C72E4583DBF9F03D93059A91CD1F48E4BB3B3B9A4CEA6FF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465715Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:26.250{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-4508-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001465714Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:25.130{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-57162-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001559621Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:24.687{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-10672-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001559620Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:27.304{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B99F0861BE7A7449B978EF6E71BEF261,SHA256=5059154B707325A2371414253CC0D810F8A6B93D04343DA4FFB37F4AF3BC8122,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001465713Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:27.726{69CF5F33-3DAF-6154-EC04-00000000FE01}22963784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001465712Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:27.679{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1F8BDC9DB34080428B23C126F6AAF804,SHA256=D40BD637DF50F60497FE4688C0776F74BB104CE3348953EB3DC5DFC43BEFCA64,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001465711Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:27.492{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-3DAF-6154-EC04-00000000FE01}2296C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465710Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:27.492{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465709Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:27.492{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465708Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:27.492{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465707Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:27.492{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465706Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:27.492{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465705Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:27.492{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465704Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:27.492{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465703Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:27.492{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465702Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:27.492{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465701Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:27.492{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-3DAF-6154-EC04-00000000FE01}2296C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001465700Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:27.492{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-3DAF-6154-EC04-00000000FE01}2296C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001465699Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:27.493{69CF5F33-3DAF-6154-EC04-00000000FE01}2296C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001465718Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:28.992{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C65D892BB23FCE806C508E522392AF1,SHA256=D6DE314A3AB19B8C1B23BCFD6BE6AED49D1AD1FC9966FAB2CE4A9A7854FE8E47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465717Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:28.992{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B562AAD4338ADBC8C0B4DDC55C8A5282,SHA256=3A5E304D3E771D6C0DDC21F91F1F914C2235F25EE034DCDCC12F21E6D0CFD01E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465716Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:28.164{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27D3B742248592578D01607B9272DA21,SHA256=3B2A742E8AA2A5535B6A86E0A1D6E6A963E3145E1A93EC93D676D637371E7EEC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559623Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:25.664{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-13250-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001559622Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:28.304{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E892C52DE69EDD63B565BFE2D9B92C4D,SHA256=67AA22F4B18787543B216A45C48826D52DDAE21D55B12BA4B75E6C69043B48D6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001465732Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:29.633{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-3DB1-6154-ED04-00000000FE01}584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465731Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:29.633{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465730Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:29.633{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465729Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:29.633{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465728Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:29.633{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465727Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:29.633{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465726Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:29.633{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465725Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:29.633{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465724Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:29.633{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465723Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:29.633{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465722Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:29.633{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-3DB1-6154-ED04-00000000FE01}584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001465721Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:29.633{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-3DB1-6154-ED04-00000000FE01}584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001465720Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:29.634{69CF5F33-3DB1-6154-ED04-00000000FE01}584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001465719Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:27.384{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-10921-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001559625Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:29.305{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FAF198E7F3A01279E2C408B3070DB7F1,SHA256=CAA060BAFE399E85327466D037369B3E5700150C78364CCB8A508B1EF6746C21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559624Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:29.305{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D199624A55D9990A8D29AE1DA4227A7,SHA256=34F0D12F1C217BBE2A0CDDD5B18C28CB666392F8C5AB46A90EAB4875ADE3B11B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559626Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:30.321{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D05A463B5402BA29E0EDF2335A5578D4,SHA256=A9E008E8A24C19B4E384762FFE21EF20F2A6B2BE7AC8ED5C1CCDF57A7738C929,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465734Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:30.117{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2C9CA5CEF708ADFE69F8D0517D8963FE,SHA256=0EFDC849B06F37E22930A6F3A58E39C03C29052682DF164F073B2B9C0D4F4D7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465733Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:30.008{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74724F9CCACE663589EF35454A30889C,SHA256=A0172032C39CF8F59C3AA67269A8F2F72205032173EC78B67CDD731371FB55C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559629Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:29.034{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-37827-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559628Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:28.483{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65302-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001559627Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:31.321{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFC865C1AB3A3CFA62D71AD33EF035BC,SHA256=359D2FAC0067026126D1948A7307F81924797B46807BA2F9A272FC3ECAF9E5B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465736Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:31.273{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=33AD91534101D0CF32477B14E01CDA35,SHA256=9C412B79D90F8F1D86E1349C150D3A980AA958E3790787C1A5B720DB09A340BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465735Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:31.023{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9E1F924AFCAC63820F375966435770F,SHA256=5F54EDEB43BEE218ECF29B6AA8EDA78AF4ACB6C54314F44A127A81F41A7EAE12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465740Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:32.367{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FC74D155B03841F6D4DF5CF771506807,SHA256=17A20619D04685BCD02BB4D23AD4B44D7F5958E21830B9601ED2F94D5288ECA2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465739Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:28.935{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51685-false10.0.1.12-8000- 354300x80000000000000001465738Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:28.720{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-17783-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001465737Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:32.039{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A7D302B25D98175CF64D8DB2923017B,SHA256=198A7DAFFA7B23D32BE4393D8E5A97399172F3793661D1F5DBD2FE3CF2479B5A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559631Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:30.014{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-40455-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001559630Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:32.321{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D28A5C0AA124458FF0B171E25C74E69,SHA256=5F3BEF0A12F683E828A465FC7B07979A8468196B3901DD2CBD3A1D8F996B58CC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559633Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:31.001{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-46550-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001559632Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:33.321{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E1FA07B280ADA86E4F0FE4ACE7DFFEA,SHA256=A5FB6A3F3EEE1ADEF41F7DA9C4E6DEE1ECABC74B37691B43B22AD830EE896FAB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465745Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:32.177{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-36999-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001465744Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:30.990{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-30636-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001465743Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:33.586{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EDACCDF5AEE84F124689E086D81DE572,SHA256=574708D24FBD50F451449E8D9327531371C81151F617DCCE1BACFA666277BC1C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465742Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:29.837{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-24213-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001465741Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:33.055{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DF09D8D04A53F1268D7C4ED4D05CF4D,SHA256=F1690ADC110DE8A1E0E82F6A6048EF9AAAC5E19CF931B3D634B9390B4784A5F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559637Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:34.664{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=30FAC703C5BF2817061F76EA3F6BA6FE,SHA256=212EA6CA1F9FEB27625E814225A3EAF4D4ABC43E98D4F3FC47D6FEB4683E562F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559636Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:34.664{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4408AD1B9BA778C28F7CB5CF784496CC,SHA256=80A57F187F6E3299494C6639C09431AA31C5D4071BDC66F2E0DB4304C44F4928,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559635Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:34.461{5EBD8912-18AC-6154-1100-00000000FE01}444NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=BBB427982E5DC753FDBA111B5C4DB6EA,SHA256=E8D8FEB896F98DFAEF24BFBE4D371FAA81FEEDC913C448A6F10042C2A8890A5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559634Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:34.321{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64C3A25ABF0F467B0868C15391F23DA6,SHA256=0D6A89D9498E219FE113FF4418EDE3DBBD1C7BEE7853E33966963729D7025A31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465747Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:34.711{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B294F3E222269E42A2C4F24E92AF019,SHA256=A8764D80844CDB867ADB63779A9D2D6099293C203E6356ACB2C02ADA6076E9ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465746Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:34.070{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5072E7F6474DC6DA43DB1A8692A7F79E,SHA256=DED4F01DB85C795D6CFEDEDDC7B7B32BE13049F0707C1D997E6B968E80442C74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559638Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:35.321{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61B32F3A486531FACE1CEAA842655E95,SHA256=F652540C536250009888C9E4837CADFE4BEBC2C8D648E82C4D3CFFCA1584D337,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465749Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:35.836{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CA0D40EDBCF55FFB92DF8ED7DC874FC8,SHA256=B0F4D7B935863615367A2E962DA7F4714C2991CEED18B013F2E30B42D49A0DE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465748Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:35.086{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BEF6C5E477FBCB1741ADD513DE7979A,SHA256=88CADEE5AE39B934E98886DDAE0AE78D2E149E4222225D993F21E131269981E6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559640Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:34.452{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65303-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001559639Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:36.321{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90AC79A26950CDF9538F36686552870B,SHA256=4A2B5956917B5C0B73E993CEE7E39993CF9DF5E123C51A699D7FFF6732B913FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465753Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:36.101{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E209E6FBC4C869A559F02EB3E505218E,SHA256=EC37418617E5AB4E3693590AD2BB06B415A94F44FAEF470ED813D9FC4BA52B7D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465752Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:34.441{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-49690-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001465751Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:33.935{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51686-false10.0.1.12-8000- 354300x80000000000000001465750Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:33.303{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-43465-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001559642Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:34.947{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-12382-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001559641Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:37.321{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=116616ECBDADB2A7709AA9BC347C7C04,SHA256=29558F46AEE30A82E32C5FB45A5BC0B30146C99AC302165C86D534D1ABA213F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465755Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:37.117{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED137A3181EAD850729CA4CEE059F578,SHA256=8EC63887E2DAB2B7B049520D0436A0B4C2B0827D6A50770907147F75B40CEF89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465754Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:37.039{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CFBA5EB98BC5EE13B4666839DF43A909,SHA256=B5EB1A1C38C5549D67C47B992CBA112BB9F00E9CAA1EE954F5953D45DC47A77E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559644Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:38.852{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=30FAC703C5BF2817061F76EA3F6BA6FE,SHA256=212EA6CA1F9FEB27625E814225A3EAF4D4ABC43E98D4F3FC47D6FEB4683E562F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559643Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:38.321{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61263775BD29F8667D4754A3E1ADD216,SHA256=7CC6110E2236941C862B021BC56881701A6F1855C932238D3FBE596336CDD501,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465758Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:35.667{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-56099-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001465757Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:38.133{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3D72E1B1C1AB2A8C8958947F31598F9,SHA256=2970AD587E86FC10EB7B79DA74C4AF40E4C4DCE43E7D96ABFE4E809E24A585D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465756Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:38.117{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B1631DD10D8EEB9251E8F0E72AA80BB8,SHA256=3684C81CFD07280526814C4F911B711DD4BEE71981589E8D990E783C2AB70855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559645Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:39.321{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEC3240581480A0DB70F9B72406DC597,SHA256=2BCBF5B5157ADBAA4A4A817E9D90E275B8186D3A08539425D3C14FDC4B91959B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465761Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:39.242{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F21521CF91C4A789DB298E2C7CD08E20,SHA256=8602D31B9AFFE2DC7506E64421981C9BEB524DDAFFF00120578D8D1DF98E6A30,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465760Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:36.754{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-3175-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001465759Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:39.148{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14FDF591BAA13AD38AD2C72291297E57,SHA256=4C830B27448CE77A87601B5A6C0D2B93C6D7D510F734EB7ED736CA55D289CF5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465764Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:40.367{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8506A5F635F07D24AA2F9B741453DB24,SHA256=2107ED3FEAF376AAB877D00D6A7E30575BEE73B1A3CFEB10259BE978E3AC158E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465763Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:37.844{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-9311-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001465762Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:40.164{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=382EB4AB05D3C9D4677D71C5F8B398B2,SHA256=906E735CB21C53F572581784FDA8BB7033B3D6EE986DB208C858FD04752C0068,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559647Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:38.597{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-38565-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001559646Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:40.321{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA376172A181696AB51BEDEC0FAB231E,SHA256=DE343395346E22735A590D379DF7C28A2891CFF9A461BC943923707059F49C41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465767Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:41.461{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A932A6475FE707452C2F646788CEC38A,SHA256=BC946E5AD15DC02FCA3D5624FBD6A9190D71F89B191C2B9478788EF7B7AF40FE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465766Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:38.972{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-15540-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001465765Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:41.180{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=533D1F0C1B7FD7D463283051833388C5,SHA256=530C7619AAE61964166C78A1082F32E87B5AB31D498F71818E0D0605640B19BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559649Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:41.321{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBA059FE281666AF0FC7A452FCF91B8C,SHA256=0C4493685D793439D8273FAD8E564CC14BF7A3B1C386B974C14AFC3E3746BC56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559648Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:41.118{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BB7BF9155E03962F850A4825C41D38A3,SHA256=655A4A6624F5CE62E8F192A350856122C53B0056A5D9B62A4F41529B517CCFCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559653Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:42.981{5EBD8912-18B9-6154-2800-00000000FE01}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210929074147-153MD5=A9A42281E5AC80C7384A9CB787C868D0,SHA256=3FA67950307563E8508E097058F58FAD833FFA00CAA097776E12802F7A654FF7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559652Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:40.848{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-51647-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559651Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:40.374{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65304-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001559650Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:42.321{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93FEC625C7821E9F650ACF1D16A8DD47,SHA256=1FECA69A6F3EE978A2C80B868590D16D1AB033857A272A93A393AFE4BFC2ECC1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001465797Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:42.898{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-3DBE-6154-EF04-00000000FE01}644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465796Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:42.898{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465795Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:42.898{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465794Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:42.898{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465793Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:42.898{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465792Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:42.898{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465791Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:42.898{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465790Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:42.898{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465789Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:42.898{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465788Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:42.898{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465787Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:42.898{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-3DBE-6154-EF04-00000000FE01}644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001465786Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:42.898{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-3DBE-6154-EF04-00000000FE01}644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001465785Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:42.899{69CF5F33-3DBE-6154-EF04-00000000FE01}644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001465784Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:42.539{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BC0A2A85F225520C49AF5A27CD849F68,SHA256=1966E026336BFD124EA89DC72AA2A2A1B01638FD2BEC7B70E6DDDDF4CA0D7A17,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001465783Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:42.430{69CF5F33-3DBE-6154-EE04-00000000FE01}11723572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001465782Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:39.748{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51687-false10.0.1.12-8000- 10341000x80000000000000001465781Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:42.227{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-3DBE-6154-EE04-00000000FE01}1172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465780Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:42.227{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465779Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:42.227{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465778Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:42.227{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465777Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:42.227{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465776Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:42.227{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465775Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:42.227{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465774Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:42.227{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465773Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:42.227{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465772Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:42.227{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465771Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:42.227{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-3DBE-6154-EE04-00000000FE01}1172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001465770Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:42.227{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-3DBE-6154-EE04-00000000FE01}1172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001465769Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:42.227{69CF5F33-3DBE-6154-EE04-00000000FE01}1172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001465768Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:42.180{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6F70D7934E3B9C8603862A3CC463F2C,SHA256=779A5CBA13F77924886379FAE315571B5A51D3353F1DB7CAC2660BCB52E3F268,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001465816Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:43.773{69CF5F33-3DBF-6154-F004-00000000FE01}3560740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001465815Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:43.664{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=804AF1BA4BCF8502FEA0F05FCF4A5A9B,SHA256=52CD5C1C02ED1D4E07BC40F1916EE31203DFF950F333334FA037A04638CD92A7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001465814Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:43.570{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-3DBF-6154-F004-00000000FE01}3560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465813Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:43.570{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465812Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:43.570{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465811Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:43.570{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465810Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:43.570{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465809Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:43.570{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465808Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:43.570{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465807Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:43.570{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465806Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:43.570{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465805Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:43.570{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465804Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:43.570{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-3DBF-6154-F004-00000000FE01}3560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001465803Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:43.570{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-3DBF-6154-F004-00000000FE01}3560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001465802Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:43.571{69CF5F33-3DBF-6154-F004-00000000FE01}3560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001465801Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:41.177{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-27918-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001465800Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:40.083{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-21916-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001465799Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:43.289{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F020583BBD51343122DBA8AFB8E8906A,SHA256=66EC2BF0E2357E32D07C2DFB9C180206653E8E6CBBB024E86BBD5CEC52C49C0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559656Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:43.992{5EBD8912-18B9-6154-2800-00000000FE01}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210929074145-154MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559655Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:43.413{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EF9AAC0FF2BEDD60A1E0CCED7A403516,SHA256=F8F68CAE37884A5B890C06B294604B6ED1FEFF72433809B00B99097EA771813B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559654Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:43.335{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB578D67DA3BDB0EDFFB8C6763730EBF,SHA256=1A912390DE80667C3EFAB0E51AECCB680F3DE3A1C339E445E713E1897B982B1B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001465798Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:43.086{69CF5F33-3DBE-6154-EF04-00000000FE01}644952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001559657Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:44.349{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC227E715A35D6C585781D31B824C86A,SHA256=8C8744D3B1458681E305880899483538CDBA62DD6F24430C18F5DF38A2FCCC79,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465830Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:42.270{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-33791-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001465829Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:44.070{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-3DC0-6154-F104-00000000FE01}2448C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465828Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:44.070{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465827Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:44.070{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465826Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:44.070{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465825Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:44.070{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465824Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:44.070{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465823Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:44.070{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465822Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:44.070{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465821Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:44.070{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465820Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:44.070{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465819Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:44.070{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-3DC0-6154-F104-00000000FE01}2448C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001465818Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:44.070{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-3DC0-6154-F104-00000000FE01}2448C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001465817Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:44.071{69CF5F33-3DC0-6154-F104-00000000FE01}2448C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001559686Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:43.710{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-7901-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001559685Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:45.634{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559684Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:45.634{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559683Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:45.634{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559682Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:45.634{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559681Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:45.634{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559680Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:45.634{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559679Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:45.634{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559678Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:45.634{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559677Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:45.634{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559676Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:45.634{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559675Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:45.634{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559674Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:45.634{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559673Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:45.634{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559672Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:45.634{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559671Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:45.634{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559670Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:45.634{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559669Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:45.634{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559668Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:45.634{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559667Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:45.634{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559666Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:45.634{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559665Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:45.634{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559664Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:45.634{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559663Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:45.634{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559662Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:45.634{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559661Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:45.634{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559660Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:45.634{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559659Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:45.634{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001559658Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:45.352{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61C4190D34ECA94615878A3BE56FE989,SHA256=10809F1C20C95DA8DC2FC8038B1AFECB46F2C25CB295045C18ADF3A1E87688F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465833Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:45.867{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9B78102421B1D19E5C6998002D624959,SHA256=1B946AC429661FB510EA1BE54B76A6020A90A2BCCDE9B1AE526B68906D583F19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465832Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:45.055{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B0B8AC6A1E1C078CD887FE5EBAB326DC,SHA256=D71EA0599CAC1700069D0D3085D66DA669E446549AD4687B4B38DCF0DCE9FB6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465831Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:45.055{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC09287568576468DA58D0E3571AB68C,SHA256=CDB1A33F28C03FAEF73CA282A9E9EC16EC3D229890B941C4E999501963E51860,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559687Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:46.493{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C2E2B7751E75360816681411B1D3CD3,SHA256=EC970A0B63E2864DF67CF31A487C9B1F6B35A3A2031632810E9C0D083DC7801C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465838Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:46.945{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=23B797135F7184658DA06A572455DA06,SHA256=20CC8EB74E24D8749F983FC79CCD56EABDFB2409E34AB4ADB7073EFD32A64A6C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465837Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:44.747{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51688-false10.0.1.12-8000- 354300x80000000000000001465836Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:44.504{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-46085-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001465835Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:43.390{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-39879-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001465834Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:46.070{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=524389257ABF81A0543B4D02F4C37F84,SHA256=FEF7DFC9E3E4818046E1F460CA480656FF4313509490A9CCF35BEF4C0953AA7E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559691Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:45.469{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65305-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001559690Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:47.712{5EBD8912-18B9-6154-2900-00000000FE01}2960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559689Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:47.493{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57D405D5DAABA8837E3567D324956274,SHA256=E12E557255791B6BAAA434A47C0CEBA27ACB183B6C0C32735469F349CE150858,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465840Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:45.582{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-51807-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001465839Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:47.133{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDA1BE656664BCE4A844685937EEBB2D,SHA256=CE496EB7AF3E5EDFAEC03B4C0EE99CDBD14CB592DF54669F8BAFD5B0AA68A3D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559688Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:47.399{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE22714091B5356BD3835D85ADDE6EB0,SHA256=F22E515E25EA6F9D87D305909891003EBEB353D10D5B2FBD859F9293B5000FB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559692Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:48.493{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FB22065B7CF62BC8CBDAD07FC15E4D0,SHA256=4469E589476FB756E42AC203E6A2873F195AA98A1A5FB05EE95D5FEFE34B0C31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465842Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:48.149{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=231C6B8F4D81A1E46EB38CD486FD5A5E,SHA256=F3F3768F4C13A81620D5ED797515A110C6A5165ED5B40C48423D0D9F1C742BA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465841Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:48.055{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=887747E6BA5C272AD44B2E1B72E2DD40,SHA256=E4AA79076DB233AD391F668805C09F160E0A2C735D741FAA2C1098D428B9CC29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559694Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:49.716{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BAC903BE683B81ADD3367D39CE735552,SHA256=F6CE47101E690CBCBD55596715E1841C3702CEFD9EE40CED6E4A24F580E97BB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559693Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:49.497{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04347A2B8F433B557F5FCDA7A0E4127D,SHA256=68F47853112DB8367A18B26251680CC6EA7C18C9EEFDB707C6626999DF5E082E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465845Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:46.672{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-57930-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001465844Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:49.195{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=62CEF50024C8DCB0B9963E71E7200975,SHA256=FADEB1BF09F6986C947E0A0A1E6C393D1BB2FF363F2DE6F5F2B02BF9100F456B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465843Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:49.164{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDB8BDB4F899EEEB175B88EC1D8EF1FD,SHA256=90631C77C4805C13D1E74918C7D5E1640A13BBBDE58D729421A2B32E575ABA66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559697Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:50.669{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA907FD17E32492D7231E4ADBEF5EA40,SHA256=5DECA8E0D60F002781680A833B65D3EB647B4D5C755EF6FE2CC8CB9B69F4B4F6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465849Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:48.910{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-11183-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001465848Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:47.800{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-5042-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001465847Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:50.289{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A77FE5F4F8DF8F90AA1B4BBEC0BB464E,SHA256=A9506C8E9310988ED3D7E9AE93605D6263CD4683493EC318C6349B776D59ED62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465846Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:50.227{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=790703C0AC936DBF0D5A8B3BE06F2700,SHA256=13560F930D8697FB8B171DFE35292831C58EF2E3699206269E3DA73791EAB52E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559696Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:47.195{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-32567-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559695Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:47.031{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65306-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001559698Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:51.669{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E382A7C12023E64C3034698191A3F902,SHA256=332AFA146B7662725660524142FAFF6DAC3037E85F4A48F6A6C5098B8974BA6A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465852Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:49.747{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51689-false10.0.1.12-8000- 23542300x80000000000000001465851Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:51.383{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=05A88ED5DBE6DCE5829AB2ECB15BFB92,SHA256=25400F385763A01152AEE2720CA0627788A30C1566EBFD3AA23488CB00139A05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465850Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:51.242{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1AEA8DB7FCAD4B622791E34BCBA62E9,SHA256=0FB0931D43E1F204ADE1268DE3D8E3D254EE0F933808070EA06B46E0D507BDF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559701Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:52.716{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0C302A934ABFC59F4CFD97083A3DA36,SHA256=F9B908C5C36C84C6BFDD5893913FD0F8367C87C868744D132CEAFADA35F0150D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465855Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:52.508{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8552A32F0DE77A1EACB95A6C478F5FA9,SHA256=0BA617E3D133BAE42B27C1D9D0F4171AE487E3D651876353A357978E2538449F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465854Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:50.004{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-17212-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001465853Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:52.274{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1728AF19C51317B45C4157954A3DAEEA,SHA256=D3DB6935656B3C8826FCEE68736A64639CD8395060055A0A9920AEE0CB9B8F97,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559700Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:49.487{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-47155-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001559699Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:52.138{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A699DF9C437C666083341EDCDDC80AD9,SHA256=385D6F67A4A8AD6128C0797859B733501CE093CBD0BBF1421D16F825CF1556EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559702Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:53.716{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=215A1C72B2FBBE88FC2956140AEA8B31,SHA256=535A922231211AB8929304FB4260699C3ACE2D0E6AB61D4FD1B650309F22CAC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465858Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:53.633{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5997C623EA695C23DC499A82D7AF87A9,SHA256=53A9007E12C184058F68D7D66815BC0BE2B4E37D2A55CC12BC93B7D0C27C8FAE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465857Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:51.109{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-22910-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001465856Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:53.274{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=036325D1BE148D0010EC2236864CDA3F,SHA256=83322E135452EB0B5CA0464320E05E958E9633967729D0B40DA8850B3E7FF6A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559706Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:54.716{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD23E9AB24470A32E50C91D2A34253D7,SHA256=29072EAEA41A50D17B3D161C7D555D767809AA087BF279772D4536898BA94122,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465860Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:54.758{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D220BA773AA5E7D253F6CDA8B009880,SHA256=7322F93865143C38A6B9772B9640C16715BF65F8C336067E7098477DD9E75379,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465859Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:54.289{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A57407C1FDF1281A6FF7CB6C663132DA,SHA256=2FC84B0702E8F6F697ECBC58FBFD259B2F2D358B1CDFA5BCD2B1A66031051E7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559705Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:54.466{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=07DD189575622F3229594BC71315EF58,SHA256=AF19E8CF4312F191AC5467B2D35880CF7E49FD72E8116B3D1F8F333E11EF7308,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559704Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:51.872{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-3252-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559703Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:51.473{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65307-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001559707Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:55.716{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E0D7B21F76A84C391195CEECB79BD5F,SHA256=9F97766B3E2FBA820BA96D5BC1DA4EE491BF754B82134894E773C86E17C655F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465863Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:55.883{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=39FEB435F6C547E39A350737CD1B95E1,SHA256=F3B06314A3A31D2EE5400759820B80270DC232672E9466D289526B6C75CE78CB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465862Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:52.234{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-28628-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001465861Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:55.305{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B902983D2D51ED315BFD0C6C4C4F9C51,SHA256=68754642A0F7433C38F38256EBBE49B009B8169B3264627DFF67275EDE6C128A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559717Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:56.747{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FB31BB16855361679C5B24348A403FAC,SHA256=93DF4F37C07DAF0A3D14D256F0C5AC0787A934F8E3FF887978F6825C324186E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559716Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:56.747{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0173655F7876653D25E7E6C5CE9B8C9,SHA256=F27B717808F2E4DDC6BB3306B1FAAAB88F3AFC4C9F355578E9ABE6FE7C5A3B02,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001559715Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:56.747{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-3DCC-6154-2C05-00000000FE01}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559714Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:56.747{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559713Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:56.747{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559712Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:56.747{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559711Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:56.747{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559710Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:56.747{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-3DCC-6154-2C05-00000000FE01}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001559709Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:56.747{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-3DCC-6154-2C05-00000000FE01}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001559708Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:56.748{5EBD8912-3DCC-6154-2C05-00000000FE01}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001465867Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:54.872{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51690-false10.0.1.12-8000- 354300x80000000000000001465866Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:54.484{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-40528-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001465865Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:53.361{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-34581-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001465864Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:56.321{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1409BE5AE7408AF1F2569EF45EE29572,SHA256=C2AE090E5E1FD62A45C27F8FE5DA5F32992C715341529017DB9FB318BBCC6CB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559737Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:57.748{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B47B2B528CC67BD88D8D89B8F6161BF0,SHA256=73E432D975CE494900BAEE01C572EC5D4A2E321C1F5E29182BD1FEB8AD24E038,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559736Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:57.748{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9B4DF8A556659507BF43135C868A73B3,SHA256=CCAF8EAB6EEEB87F259019A1A9C7599C5C355109E87CEC29681AA320A558982C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001559735Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:57.748{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-3DCD-6154-2E05-00000000FE01}668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559734Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:57.748{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559733Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:57.748{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559732Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:57.748{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559731Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:57.748{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559730Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:57.748{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-3DCD-6154-2E05-00000000FE01}668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001559729Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:57.748{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-3DCD-6154-2E05-00000000FE01}668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001559728Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:57.749{5EBD8912-3DCD-6154-2E05-00000000FE01}668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001465870Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:55.612{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-46855-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001465869Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:57.336{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8F672781C13CB38E3D2950295915274,SHA256=FB961E3286E69321DB5178C63E0700D99828D503D832BBDF1D1366516E72B789,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001559727Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:57.482{5EBD8912-3DCD-6154-2D05-00000000FE01}61161608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001559726Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:54.212{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-17803-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001559725Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:57.247{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-3DCD-6154-2D05-00000000FE01}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559724Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:57.247{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559723Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:57.247{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559722Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:57.247{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559721Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:57.247{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559720Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:57.247{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-3DCD-6154-2D05-00000000FE01}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001559719Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:57.247{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-3DCD-6154-2D05-00000000FE01}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001559718Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:57.248{5EBD8912-3DCD-6154-2D05-00000000FE01}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001465868Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:57.008{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31C628C9DFEE20D4E42050EB6D005FEC,SHA256=6A0B7E842AEEC273782E485816470B72D442AA71F4ABBCA8D98664CFEAA5DAC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559739Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:58.748{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE076A72BC8C7B1B38AA4DC42AA839AA,SHA256=2485A60715292C58AD7548324B157720F996369E2E08E9F1EFC6B374491B489E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559738Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:58.748{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F0791510473DDCED74670E8D24743CD3,SHA256=A9660BF7F25F5909E38B424B33B8E8A52809186FC22302AA57F37C5C3A173563,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465873Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:56.722{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-52841-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001465872Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:58.352{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E56F151C1623A3BF6982E18108F84DA,SHA256=2F5780965F9BC1CF59504D3A3338C3F8FAE0EF3B3B28489432A4E86169CD2FEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465871Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:58.102{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=650F8726447363E1A6B88D35D1DF2B68,SHA256=57C9886F36452CE797C9EAD95911213CF358C3A1C7DEC63BD7514F8DF7B070D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559742Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:59.748{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C60B18CB01FBD3B567AFF218F5392F69,SHA256=F68C5C2AC9EE58D14B55904D8C2E611199D7669BC41EFCB0C32982422946D6E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465876Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:57.816{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-58856-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001465875Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:59.367{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8ABA94874E52BC8F38E48FECAC2FF5AB,SHA256=E1D4D8DBF99EA66D80D12D496F387A3A6A63DD1788DC626F46D55D55EA63D475,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559741Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:57.426{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65308-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001559740Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:19:56.965{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-31826-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001465874Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:59.258{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=63593E7AE0129C8AB069EFFB0DDE02D8,SHA256=9B2DD6936F0B2B58F8EC1D6498921B25573A616E944B9AF0869766CE5ADC5D5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465878Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:00.383{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AE2B22CF063BCAD46D4E23830A0FAA9,SHA256=CC0C78F93F30C6C425E30C9459B0EA56C6CFF50378D42E70865B8653DB31BE21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465877Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:00.383{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E677B8DA6D0991AA3D2256642A7F1D65,SHA256=017B58D689095E277B0C97854A40EFAF4B43E7BCD5E251CE4848870FBC30BD0A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001559753Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:00.998{5EBD8912-3DD0-6154-2F05-00000000FE01}60961684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559752Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:00.763{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-3DD0-6154-2F05-00000000FE01}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559751Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:00.763{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559750Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:00.763{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559749Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:00.763{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559748Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:00.763{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559747Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:00.763{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-3DD0-6154-2F05-00000000FE01}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001559746Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:00.763{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-3DD0-6154-2F05-00000000FE01}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001559745Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:00.764{5EBD8912-3DD0-6154-2F05-00000000FE01}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001559744Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:00.748{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DD32A892CD88B010EFAB8AA397EBFDB,SHA256=A7B883CCF8D2F80B62585A6A98E549520709430980F465C443E3F66E78DF7287,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559743Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:00.638{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C7507D5965F4B21C56AB22013760897E,SHA256=0CEF86F196EC2213C4835C80E707E6216237F91AB848BA21F052DF69E6A9765A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559772Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:01.826{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E580FF86CF52A7EF8ED4F9B6D9DF8E5B,SHA256=BE2DC887D8E432EC32666B2731D4C8B07ACF33CC871D3013D924FB7FC46AAAB0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465882Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:00.129{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-12364-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001465881Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:19:58.986{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-6244-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001465880Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:01.539{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F236D9287EB798EB90B11B5691598F8F,SHA256=22ABF88BE7EDDD4ADA2AA65BA2A580544F146E3DA75A110B24AB022207DE709F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465879Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:01.399{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A41EF78446E29A4537CA4F2CAAD84A75,SHA256=6D88C821797D5E44789DBF0FCCEB31F4744D8D6C08A23B679D276DFA9D207480,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001559771Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:01.779{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-3DD1-6154-3105-00000000FE01}5984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559770Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:01.779{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559769Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:01.779{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559768Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:01.779{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559767Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:01.779{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559766Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:01.779{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-3DD1-6154-3105-00000000FE01}5984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001559765Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:01.779{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-3DD1-6154-3105-00000000FE01}5984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001559764Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:01.780{5EBD8912-3DD1-6154-3105-00000000FE01}5984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001559763Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:01.716{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=363912076C72F6FEEE48D116B863F241,SHA256=65D70A6982C21D5609328C07FBC65DD2ECC583AAE74AEB6985474AFAB0617A8F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001559762Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:01.513{5EBD8912-3DD1-6154-3005-00000000FE01}12525436C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559761Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:01.263{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-3DD1-6154-3005-00000000FE01}1252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559760Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:01.263{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559759Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:01.263{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559758Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:01.263{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559757Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:01.263{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-3DD1-6154-3005-00000000FE01}1252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001559756Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:01.263{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559755Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:01.263{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-3DD1-6154-3005-00000000FE01}1252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001559754Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:01.264{5EBD8912-3DD1-6154-3005-00000000FE01}1252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001559777Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:02.841{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4516503EE4154CC4B44A849F4D2F8DBB,SHA256=4864F02EB4B5B362A3C15893556F772EADA358AD7D15D66E7D26855A5320A269,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559776Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:02.841{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9E9AB41B790255FCB9C7065B47F231A,SHA256=DB8EED91B56BC5621807221D9B61BC255A8698044F6FBBACEED44A76A367AEC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465885Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:02.664{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=89144C333F65D600BDBC30EECB7EB045,SHA256=69789476303E798E3591F3881496416D4515CD1A40FCC1680549625FAC6275A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465884Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:00.779{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51691-false10.0.1.12-8000- 23542300x80000000000000001465883Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:02.399{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EE609D1657492B8513F9A6FE71A23A9,SHA256=833E18A0BA0A7FE6312BE432C29F801EA94E371317A34E78E6AE59C3A7F9DDB0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559775Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:00.035{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65309-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001559774Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:00.035{5EBD8912-18B9-6154-2700-00000000FE01}2944C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65309-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 10341000x80000000000000001559773Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:02.045{5EBD8912-3DD1-6154-3105-00000000FE01}59842452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001559787Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:03.857{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8B9A939C66479E60862F982A1CE385E,SHA256=BD70AD8664B19BF1A3ED15E7D4B7D9080D9B4D6D6D93979C7275B27E679D51A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465888Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:03.789{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0BAFEEA98769DA844E485D899EA328B7,SHA256=6CD4DB175E83C93D218B950C651B0C3FAE44329E88EC604A3A3C26FCCE05C923,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465887Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:01.267{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-18583-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001465886Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:03.414{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9DB19183AC00425A35731BF789E72C4,SHA256=74C38E960B0A411D7D77DB02C6D780ACD52C490BE55172520CBA6E0894C54F96,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001559786Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:03.466{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-3DD3-6154-3205-00000000FE01}4176C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559785Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:03.466{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559784Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:03.466{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559783Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:03.466{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559782Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:03.466{5EBD8912-18AB-6154-0C00-00000000FE01}8524560C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001559781Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:03.466{5EBD8912-18A9-6154-0500-00000000FE01}4165172C:\Windows\system32\csrss.exe{5EBD8912-3DD3-6154-3205-00000000FE01}4176C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001559780Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:03.466{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-3DD3-6154-3205-00000000FE01}4176C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001559779Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:03.467{5EBD8912-3DD3-6154-3205-00000000FE01}4176C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001559778Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:00.892{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-56116-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001559789Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:04.873{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=922773356B5DB9C8BC966577BA7CE98B,SHA256=5EC5902A4ABBE14AFA3B305F7EC6B25AA32A6F90067F790129AF58238DA8E4BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465890Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:04.883{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=92913A6E25F2A2F47D88832C896D00E3,SHA256=40ECDA66DD8B5443032067F1BFC9FC1408D45FBF85AC25DD429BA3CE858A9447,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465889Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:04.415{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C9C3845C1D1D741274E1AA881EC1F7A,SHA256=245C2C5C59BCD6D2BE97DE626E917558BB48EA3ED9A2DBDC489DE4CAF79DF433,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559788Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:04.576{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3607530E2BB5DEA9FBCCDB8DAD30674A,SHA256=9DBD0AE71C9F4DBFEF2E1952AA23D3259DE0B396A176BC7F9206FA2250D5FA39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559791Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:05.873{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A749DE200874945F2076C338552A89BD,SHA256=466C586DEF916DC66CFC8565C0833D76261853DE9693FB007BB990A6485A75E5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465893Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:03.503{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-31027-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001465892Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:02.397{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-24806-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001465891Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:05.430{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03E829ADF42E8862359F94100BF5B812,SHA256=0E1C09BF2850D1CC0FE4352A97F6E44D2A496D320F1784118754EDFC4DA35BC3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559790Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:03.365{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65310-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001559792Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:06.873{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E80965D97B5845B3CA0DE0876BD19EFD,SHA256=51ABF0CFC2024A05FF43FA9D2159A2D434C0DAF54A75944AB7D6668BA3C09353,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465895Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:06.446{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A09E73300A998A635C00AC78BBB7FD42,SHA256=E8BA421B34955A05BF887EF888D24E0880AFFDA0CF0D326D70BC0C85EB361D49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465894Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:06.008{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=37AAE0D93249BDD90A1AB5A3CC8334D1,SHA256=17F711A14E9CF60FF420C8F9426D56E33947A635BF57110263CFC0E944F4DD10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559794Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:07.888{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC58BE1CB1260CBE0118FC36E4D2D57A,SHA256=A395DEE23BD4369932F7D6FAF2550D6B9DD50963AE05FE9C107A4F056F4C8EC3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465900Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:05.935{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51692-false10.0.1.12-8000- 354300x80000000000000001465899Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:05.737{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-43237-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001465898Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:04.609{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-36958-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001465897Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:07.461{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F29E67BA26FDCD312173F78FA58C552,SHA256=1F71EE73ED1BF9FC69D211E460D26FABEA2C03B13637265559EE1C174D62EA17,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559793Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:04.906{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-20354-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001465896Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:07.133{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=04B1ACBE42C8AF3DD4C776C9A43EF90C,SHA256=B24CBD5B9CF9C0C054578DFBE173AF99DD487AC655F3A21C90AABF07A9BA8DEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559796Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:08.893{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C615186D731E3D2183D9E7197BFFC25,SHA256=84F07DE561B4CD651F946E8C6764454D47C31C3E775384CEDD792D63B194703F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465902Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:08.477{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BE08487C69392EE2CB6B49283043723,SHA256=65F6E5DE57B6EBC8D1974FF71EBABE201776EC6AD549E97FB5C2D83B749A3251,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559795Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:08.576{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EB8E082E15BCDA19C25BA788FCCA8F51,SHA256=350CF2F5E146749F6AEC4F9EF332187870AECB53FAD674FBAAA4FD2C3AD979E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465901Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:08.274{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA25A49ADEFF0EFC1CAAEE7761B25E5B,SHA256=025071764F0A992C97CB636A40ADCA2E809C3B857D3D742A9AB36132DAFF29A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559797Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:09.893{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCC7B98018C598CF076ABF47BD3FEDE8,SHA256=C8B8C9CFC928D1D18F6F395C7B98AD8C607F79FAF028481E2307A1BDF10CD8F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465906Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:08.003{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-55449-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001465905Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:06.862{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-49130-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001465904Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:09.493{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F78C8F2A1A8A5E7321B6A75E622F0650,SHA256=AB0862B58CFBACF99473B29F589ED029C2CB7CEDBFB4E777BDC9AB368395F594,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465903Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:09.399{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B4DAF8BDD1C4AE25AC001819345752A5,SHA256=277FB501274A5EF616D665C6A07D6433A749585C99C45867BC31CD93ADB17CE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559801Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:10.924{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1A9DB83E2293FF0373F8A1043E7E6D6,SHA256=6ECCF0F8E346AC0CD338F5748DC9A9AD6C378A8BB9D1D0FD6BE3834AEBE091A1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465909Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:09.129{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-2606-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001465908Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:10.524{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=64F42AD283D162AF545F4387EAB8F303,SHA256=4F282886FB2B232E9265111DFA46B693FF456931448DD824AA923CE0489FCAD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465907Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:10.508{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ACEAC89171881CB1D3F150A168AAC2A,SHA256=2D7491E6B0E4FF7EE946E0A65D0B326F8C0051B5DE6AD04AFE21C36B0988E073,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559800Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:10.846{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7528A1EC662219B76AEBEE2570D52314,SHA256=A90784EA3CCC855E02F49BE97E94A6B3B536CDC89132C8FF0682ADA95BF169DD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559799Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:08.494{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65311-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001559798Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:08.333{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-46340-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001559802Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:11.940{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E0DD5073C68D028AE1CD23192C3918F,SHA256=AA5A62AA7262B5364667ED0685071E676414E3654E056961E726FEF33C82C192,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465911Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:11.649{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3235FB4469AA22A8CC26E1C9473D9BA8,SHA256=4DE8741BCF78CE3580D8EEDF043BC7BA92ED66620EB68A9525C8ED04DE283FAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465910Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:11.524{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E91E69DBA21945A55552CF7F0E12CC9,SHA256=FE6B35EB4F9A4FB02CF619407BFBF423A02ED046E5410563DFCBD88004ECA721,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559803Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:12.956{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=929E9123F5578F9C0704F83B2571267F,SHA256=761F43999DB1ABA2BA9E7724052AF0C3598ECC46EF6FB13156023169225C3C42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465913Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:12.728{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B88094D6EA1FF646DADDE6FFAAE668DC,SHA256=4038D8A671D5C26B58642812B164F4C15084076D33DC03590303D427AA90BB94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465912Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:12.524{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C74F6C168610A7715B06EB0744A925E,SHA256=556BC25C45BDD5434D1623C5AAC4BE58211C99F0D08ED4EF378671B14761165C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465918Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:13.884{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B650D4442B5D59D4CBD91C87809DC36E,SHA256=1776058276B72B200676AB03DFCDE9733A8EAE25A4BF1D7C66DE6834E73F944A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465917Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:13.525{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=817DF94848E380B01B78C86B66D7D907,SHA256=9E0B109548AB0F19B00B17268386E1318B377ED59B1E39714090F9BF150CAB65,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559806Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:10.579{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-1609-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001559805Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:13.956{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69C9C0BD6ADF11D2EBDB8B3A9C68C918,SHA256=779D371B9DF47DCAC963F7F85C2330C9FA324EA37D7153DFB67EF07550B9741A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559804Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:13.128{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=16815C2080571C4706A73A11BF90C31E,SHA256=513FF9A86E3CA0789A2F428E4878134D26DEEF0B8F78214D3969F7524569C290,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465916Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:13.059{69CF5F33-189A-6154-1B00-00000000FE01}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210929074117-154MD5=0702FCA431B00B594F1E453E1BACB4E7,SHA256=E8701800C5303E9A26BD1B4295F1925FD873002633D318A1D6DD61AA6CF56A5D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465915Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:10.922{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-20760-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001465914Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:10.249{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-8746-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001559807Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:14.956{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3717E268B8C5D9112004B7D2248DFB4C,SHA256=3DC83A97A28B6C8FC4650819F6A397A607F30D777D1162F2C96C761A1258767E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465924Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:14.537{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9419B3E9AFF0C1D837C5A2A28832C281,SHA256=B7641F3B8640AAC963BBECF8ECEE1802AB4A44B307830984CA1B247C41CA0D7B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465923Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:12.096{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-28001-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001465922Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:11.919{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51693-false10.0.1.12-8000- 354300x80000000000000001465921Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:11.364{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-15111-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001465920Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:10.953{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-20982-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001465919Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:14.073{69CF5F33-189A-6154-1B00-00000000FE01}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210929074115-155MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559808Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:15.971{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFA138070838F0CD101C91FE7C8D70D3,SHA256=2FA96539E73AA267037563D467E417CC7B4914A78CE8C012E8CDD2CC05DBC958,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465928Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:15.540{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F13C71C09B28CA0E2B519758D28F3E75,SHA256=DE90D824536445EE899C9DB93EBC4D9B8BDA03A22566E6A406F8B5B59A95F4DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465927Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:15.243{69CF5F33-1899-6154-1300-00000000FE01}296NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=29D2B514CD1D9263407967478BAF3754,SHA256=9737B14359AF0418BDBC2C58544BAC277775EB2B1D687FED4523879014001F04,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465926Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:12.472{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-21134-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001465925Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:15.056{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=33D227B2C3BCC0636F215FB1C8E29ABE,SHA256=D0B7D238F09B0DCF0B1D088FA343514D669CED556CF189EEDA407491F6790A3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465932Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:16.556{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34AAB7ADC455D9E76E066731E7749F5C,SHA256=93BA7908678F0D0E367F35EE9043480459BC498F9F51C4145F61B62425F352EF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465931Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:13.598{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-27119-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001465930Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:13.221{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-35017-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001465929Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:16.134{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31CC2ED37FD128AABA962D82697197DE,SHA256=CD4E378555CFF8C30BAEA980CD96CF7538F6BE3DE626D69C8FADFC7C78ED54EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465936Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:17.681{69CF5F33-189A-6154-1C00-00000000FE01}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465935Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:17.571{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF984258356111DA995F3D5E6EB4E335,SHA256=29400A924F089883BC43E9834CCAC9BA8D9D93610F40579594BE04C6DD4F1BAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559812Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:17.159{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5E58F81AA3C2B378FE121010BB9CF9B1,SHA256=C03EC217DE9A10818CD2AC09E71562C1A450315D5A10A3C51EFA539F833471DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559811Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:17.034{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0F48EA1AB6A7340037FFE829D847036,SHA256=0FD27338B602A86E4CD5EA3ECA26B4DDE57CA35A4FF4B86996A73647042C6A41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465934Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:17.384{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7CFF323A33C8548BE49C8EF07C179746,SHA256=6B089EF283D193499F321ECB1771038F9CF2E7D4AF2F1FF5F0051B10F03AB367,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465933Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:14.345{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-41997-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001559810Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:14.509{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65312-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001559809Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:13.591{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-16414-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001465941Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:18.587{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F366174D05C0EC5D09072D916BD4922F,SHA256=13A72DFCA7FC97E40A2A9B20B4279F3566EE68BB09FF731F5470E0772C627203,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559813Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:18.081{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A007F843C738E407E428BA90BDADA18,SHA256=BDC799562C153807EC2E5232AFA302418E3223E9C265E6476EFFB6E5A9E9F1E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465940Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:18.462{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EF70E59F11E56263D68F6372F424EF81,SHA256=E832EC36FC3C92C1AE78396F698D0C05BEB1FEFF135681AFE3E0C338A0312722,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465939Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:15.848{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-39421-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001465938Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:15.470{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-48770-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001465937Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:14.769{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-33484-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001465947Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:19.681{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26B1268D603BF77192F17F95C44ED155,SHA256=E550DAA0878E5349E4E16BA7BF73DE0105A7216C51F4B6FDDF4DE8E458DE5C4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559814Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:19.315{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DBD54669C333D55FF187BB65ACC3C31,SHA256=01FC01DC17ED31D98C0B5E9F94F26779BF3E88E9D970F7B640EB5753387DE6A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465946Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:19.587{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2F21CDAE1179038AA43AF448DADCCFAE,SHA256=4CF91031F3BD0AA96B19137194B6FABA2BAADE03822E4B3C86E9B3AC8B845370,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465945Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:17.704{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-3409-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001465944Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:17.373{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51694-false10.0.1.12-8089- 354300x80000000000000001465943Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:17.098{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-46122-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001465942Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:16.593{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-55655-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001465951Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:20.712{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8859BA80AF7D231449E12485238A7EF5,SHA256=6156612E2EB25A6E5940793E905B0B8488E48ABF358D07B3D131ED3610001571,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465950Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:20.712{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BE4DC8904DE58E175A886C15B4E3BD1,SHA256=F4947ED9147ADFD5260306A0934A2221171516D753CDC7A18D543EF18740D107,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559817Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:20.956{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=55D250B94194A5FD26D89FD64FF942B3,SHA256=D60C5B5D2785FD6C7C2973A4A93C1AD4A1058EB3D4C759FF87EBAC85B19A669E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559816Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:20.362{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2157E8B5E1BB3D27731A727B6CC9601B,SHA256=E9B40A779F51F06FBD39F449850B51D04A4C3D78D36260563CC540C9EC5B3A48,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465949Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:18.191{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-51996-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001465948Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:17.873{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51695-false10.0.1.12-8000- 354300x80000000000000001559815Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:17.460{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-40695-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001465954Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:21.791{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6947CB94DD2230580BEB93F0B03280DC,SHA256=CF4CAD798AE7CD8F3B5B63B15FAD27B2DEAC4710D9E3D8DEDFBC29DFC303331F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465953Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:21.743{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4880E794A83FC0BD7E0E80798CF14DED,SHA256=89EF9C24CA816D67D7DA86C93E8A7E6B04A619C2E000CF4E25B225C285751375,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559820Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:21.362{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67A208678D820106182ECC79D7963C14,SHA256=5445C3E20F5C27C5BC02C17CC29955A89BDA538F295B120112BD07EED62F5CD4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465952Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:18.815{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-10289-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001559819Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:19.218{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-29884-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559818Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:19.197{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-29793-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001465958Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:22.884{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3E8EA4F057C7556AF872BC9BB7F8385A,SHA256=9A349264C3D0305F2B6A75913E4894C408DC8D52FC702444B444300BA099103F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465957Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:22.775{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88999FD52BF447F99D0ED3DE859C269A,SHA256=CC640C7FA77255BB19AD531A79AD8D87226CA0C99804B6C09920DBB374980D6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559822Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:22.378{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0AEFEE852CCB59FB6ADC94C76D9AFBD,SHA256=BD9209E07D61CFB3F08C4411AACFED0A7933BDDBFC178C6AEE676E39EAE09EFA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465956Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:19.908{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-17079-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001465955Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:19.315{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-58198-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001559821Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:22.096{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B631E3ABED1FDE07AFBCCB93F2211C13,SHA256=1553E7C2D49A4A6856F4A080827044B37FA3130532A67BF472D4F0371819820E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465960Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:23.821{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB8B05DC83D63B7F0D0F283085BEAA86,SHA256=96FD8495521F60B2C90830351226F337054F684158D2C820F9822E37D6F7EE76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559826Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:23.378{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24D5138E20B435B46945DBA008044ECF,SHA256=3CCDFE6B3A175DF22B3871FA27FB0F94D2ED03B26C80A98670C640649B904867,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465959Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:20.426{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-5262-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001559825Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:23.190{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BF2E75549AD2D5B2CA89222F03C197D3,SHA256=B6CFD63DB7B69F5BB996B270F98E1DCEB567F30B98C5DE77EB638E963A5F6D0A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559824Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:20.368{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-34871-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559823Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:20.353{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local65313-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001465965Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:24.853{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32CD22F29D6098FCF9AA285CC9A36353,SHA256=0ECB4ED66C178FBDB72F3FF06D5201C34A425E38A8C2094039AE91DB4E605A87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559830Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:24.378{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B20B41B2CA43352AF9A2675725E580F,SHA256=EC4C012AFD8A9FFC13AC2FE99F89C909A6802A60994AE55B306B8789E7313787,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465964Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:24.618{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=55A965AAACEEDE8427AC640789EA413D,SHA256=348681246208F8A9CB457D42D0B2F8EAB0FD3A99C67349D2C0BEE70784A98770,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465963Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:22.127{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-31186-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001465962Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:21.505{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-11000-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001465961Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:21.044{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-24112-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001559829Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:24.300{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3BA8677E64B60A6FFB5F8EC52441CA85,SHA256=9C2FF2F2883A6D684D87D9D477EFD4800BFD64E6E6D67F8DC69D1A38FA06957F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001559828Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:21.448{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-39317-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559827Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:20.907{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-6807-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001465969Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:25.884{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76F67635608E5833E85020426F948CB0,SHA256=350555E0936C0B0FA794B00C5BDD2139CA144FE5D72C92A32764E7D5E56D0AF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559832Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:25.425{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=63B9B682F064D18E724DA34399A7D96C,SHA256=E2489892135D391D022AB66A978522A49ABDFB82F3DAD5F83677F18E6519FA5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559831Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:25.393{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA8036DBCB0805DA05F80B2500B145FF,SHA256=1E23C2C3385DC8D31EC96EB4B60AB42A9F202CC58ED9A8B1045C05BEB4CA6512,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001465968Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:25.743{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=02B918C7E16603824BB42673C4F99D49,SHA256=714BDCEB6A5632EA6C973D97D0D30EA6B49DDA7065947417E8DF81EE48227C51,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465967Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:23.221{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-37970-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001465966Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:22.920{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local51696-false10.0.1.12-8000- 23542300x80000000000000001465985Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:26.901{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1D299727B7E352CD162455158477A16,SHA256=BC8F5D0035B41829BFF38E7ED1696A872F577807E03C79074B7AD411DB39E224,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559837Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:26.487{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1072FD9120B1FD0BFF2EA67AF26F33F2,SHA256=D2DD9D144EC2F0259C1E0AB0AB991040137F2506A29DCEC8CDE99D586E4F33D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559836Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:26.393{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=915E2039FAB3442E888B89712F1DAEEE,SHA256=ED2C737B447F4773173FDECA461DFB412FA6907EAD9427A3B365B4427003D602,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001465984Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:26.837{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-3DEA-6154-F204-00000000FE01}2756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465983Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:26.837{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465982Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:26.837{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465981Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:26.837{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465980Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:26.837{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465979Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:26.837{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465978Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:26.837{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465977Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:26.837{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465976Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:26.837{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465975Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:26.837{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465974Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:26.837{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-3DEA-6154-F204-00000000FE01}2756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001465973Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:26.837{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-3DEA-6154-F204-00000000FE01}2756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001465972Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:26.838{69CF5F33-3DEA-6154-F204-00000000FE01}2756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001465971Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:26.822{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=23720B2E8689215B25DCC7E86BE4993C,SHA256=CBBB790C1C3300A019F95E81E0CF37D711AD91F3153620A7D9ECECFF8B0F8E05,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001465970Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:24.337{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-44857-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001559835Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:23.650{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-48905-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559834Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:23.129{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-20423-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001559833Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:22.569{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-44357-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001559840Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:27.565{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E6AE64A124FA924581618EA6AE232F8B,SHA256=F197CCDB8AE73A23AEF44681AED4F74FAB6DCDF49BDC7E659EE8A6FE3ECEF9D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001559839Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:27.393{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD16ADFB2D1B67DA04AB139CC4B07C66,SHA256=B09E6B8338843642EF7B6CD8B7357B636FF05D69DFA941B3B57287CDAE78C36C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001466001Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:27.853{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=43CF120E9A8C578FFE387D3EA9F58930,SHA256=8B3DF18B4CD0F8BAEE3D28137059EA935413D390589A9008831CF795C5C70DBB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001466000Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:27.728{69CF5F33-3DEB-6154-F304-00000000FE01}2296512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465999Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:27.509{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-3DEB-6154-F304-00000000FE01}2296C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465998Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:27.509{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465997Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:27.509{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465996Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:27.509{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465995Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:27.509{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465994Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:27.509{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465993Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:27.509{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465992Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:27.509{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465991Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:27.509{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465990Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:27.509{69CF5F33-1899-6154-0C00-00000000FE01}7324072C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001465989Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:27.509{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-3DEB-6154-F304-00000000FE01}2296C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001465988Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:27.509{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-3DEB-6154-F304-00000000FE01}2296C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001465987Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:27.510{69CF5F33-3DEB-6154-F304-00000000FE01}2296C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001465986Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 10:20:25.455{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-51954-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001559838Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 10:20:24.760{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-53632-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server