23542300x80000000000000001287184Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:04:40.803{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCF9C9AB6F30CBC673A4AE5404B2B61F,SHA256=A84C593D6F4C1743E681528B5D54649631E6A55E44F9F14DF8BE393DF88ABA1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381182Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:40.268{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAF2654A46F874FBDF8EB99D21C2C3A4,SHA256=77B65A7B574F0A1FD3D8A1CB12667A175C14E012096FFAB43FB186405781F5B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287186Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:04:41.818{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05FB7B2534D052CF559537B9E7FC8EFF,SHA256=4A69046393AB6D606918FCA0CA440CAADBBBC7C2819148FDDB9A40ABD7F73A45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381186Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:41.867{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=9B582128822764EBD365D131E1C273DD,SHA256=401E01A52ADB41AEDBB8D99FF369DE7CB193D1CF8A8DC48F9BCD272297D53F6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381185Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:41.451{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=D257051A1EF5CE7C79396A76DE86FC79,SHA256=4514A0BDF37840377E71E01A3C6C4E93C7F8AEE2A8D9152D779F1A449291C966,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381184Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:41.450{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=ACA12B0E8EE8DF4E1C8DF3D9DD2EC191,SHA256=4E4AB3144FCE43B6A3D97237235DF9B256E0074035EFB638F50B12792CB96722,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381183Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:41.283{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A0E0EDDD606DC5BD10C0A11033C51F6,SHA256=27C712C6F7A58CE98A2E8A308AA42BF9D6CD9ACD328DB1547937D431A6B53BB9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287185Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:04:38.435{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61516-false10.0.1.12-8000- 23542300x80000000000000001287187Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:04:42.818{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49C26CFD56F9BA2E59E7AB854242A8F5,SHA256=4A053F75BA42DAD55B32A9A66B31CDA1F17F39D5E147794A07DADEFD466EE21A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381190Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:42.966{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8256041DDCE01DAE9385CF4F789C0548,SHA256=9F780F0623DB966164AB5C7B7BE95AE08BEFC9054F96631A7EE63690543DA93C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381189Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:42.966{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=550D691E9CAAA7B3319B0E036389C042,SHA256=2D257EAA546982FFC4A47E4759EC2E2863ADF49C251674517EA8457838364A61,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381188Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:41.420{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse127.0.0.1-65156-false127.0.0.1-53domain 23542300x80000000000000001381187Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:42.298{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B28578E74A3C41E6735DFE6A18226E2F,SHA256=E81B04E4F56152D0CEDEC441453C049F817DA43F1AD6FE44B28D63F573552CF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287188Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:04:43.820{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCD3C9CB7AA624219CF4F0CE23737F36,SHA256=BCB189A957600FAB6FE668E606CE69FF7D890B978165E9482F8A17EDC4FE4B8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381195Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:43.881{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=FF6DA4ABF6176DA39229992F8634EC23,SHA256=AABE1A89120A9EEC7DA155398C8868F3AF5A02C0A348C6EC64F5CB72B1C7D14B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381194Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:42.935{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local51251-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001381193Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:42.935{5EBD8912-8CD0-6151-2800-00000000FD01}2200C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local51251-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001381192Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:41.425{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruefe80:0:0:0:0:ffff:ffff:fffe-61232-true2001:7fe:0:0:0:0:0:53i.root-servers.net53domain 23542300x80000000000000001381191Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:43.313{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E781FA5C12545BFBE430EE5E005A69EB,SHA256=329521018D648B56B8868BDA442E7B74DFAC6B72C1D09816CFA9169DAC7B3137,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287191Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:04:44.826{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6115F56A2692B072B099DF775DC39ABB,SHA256=40D8E9CC43000E27FBD71E4463E84F70131074023CE68552DF761DCA5403F606,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381197Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:44.172{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51252-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001381196Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:44.328{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=547DD0FE134E0CAD438485FB2588CA4D,SHA256=8EFC1E416592B7B912DE96B33EAAFE267392FEB692B8115637CCD885B9D5D21E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287190Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:04:44.244{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-5705MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287189Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:04:44.195{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=E6925DCEE623453B60DA877B9B7FA6DA,SHA256=3F1BDFCE7068F1600DC39C4C1B339A62414E86340FCE7300D87E1CFA0066C6D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287193Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:04:45.827{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1C34F7FC8A196F92751BD52C6FB6E6C,SHA256=C2A3CE29101C5A469029077FBFB209692649591AA90F13A12923BFD2AF2410E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381198Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:45.329{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BADF705D9A2C0829DD215A409A12C6E,SHA256=E18CD3026C7A57B8C34155605CDA859492CD39DD4389FABFE20A3FA1488E337D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287192Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:04:45.249{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-5706MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287195Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:04:46.874{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287194Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:04:46.827{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7362825290F656337736061EF55B1FC,SHA256=A4D8E965AE5DB5BEFA5C89CD8913F174DBE0F718E39181B0BDE86CF017A67C2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381199Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:46.347{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8DF98A969400654F7E1EA2278C9B45A,SHA256=88405CE73E2C3C10109325D966BBD1F13DF6180E634796D675D4F817ABFA052B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287197Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:04:47.842{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CD633E037143A7496A3A3263D614758,SHA256=F67DDF97B9695E05F26798DE51E6A0F54D0329EEBA25861686A98EB9539FD333,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381205Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:47.007{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-24607-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381204Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:46.959{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-24436-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381203Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:47.397{5EBD8912-8CD0-6151-3000-00000000FD01}1956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381202Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:47.382{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=889C6FBDE901717C59F577A333383427,SHA256=ACFBF5AADB9F2D6265041C6AE2F965770477E66C03DECB7F7B9FA55CDC849BBD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287196Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:04:43.600{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61517-false10.0.1.12-8000- 23542300x80000000000000001381201Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:47.215{5EBD8912-8CD0-6151-2F00-00000000FD01}2544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210927092018-1388MD5=418358CD28D1B50422280074BE968B1D,SHA256=C8286C1C0A91E4E2C2FF9D12E0FDD08F235EAD61265C1678C815B6AB5A1254BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381200Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:47.150{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8256041DDCE01DAE9385CF4F789C0548,SHA256=9F780F0623DB966164AB5C7B7BE95AE08BEFC9054F96631A7EE63690543DA93C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287199Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:04:48.842{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A909A388B9F4279E8354ECA8F9A22704,SHA256=BCEB78B7580D0113B38B6FC5CC2ADE55D05405A46BD631092A13046EE718C5C7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381209Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:48.228{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-33143-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381208Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:48.465{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AB996A899781C3E751747CFFAB29CA3C,SHA256=CFA3BF1F829DC411E14C3778984702E6ECC38B0C39ACE239B619BA60239612FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381207Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:48.396{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97B7F31AEAE4ADDEEAF1086BEE6C3713,SHA256=9EF773365380FBAFB967B1F4B6EA7A941C9388BC999EECC6A4DDC7FD5306024D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287198Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:04:45.210{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61518-false10.0.1.12-8089- 23542300x80000000000000001381206Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:48.229{5EBD8912-8CD0-6151-2F00-00000000FD01}2544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210927092016-1389MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287200Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:04:49.858{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B93DCD428606AD819860621C741FC55,SHA256=C7E9569EFE2BA0733161FBF7336AC19248676417FB0F5EEBB1D723C4D671492A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381213Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:49.218{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51254-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001381212Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:48.372{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51253-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001381211Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:49.596{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=810B3D5810D5F856471855100D6543B5,SHA256=0339840549CB93CE87C83D2B3FD9EF5CA53CFCE2751021789CD46723B81E76EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381210Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:49.411{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CB3DC75CCC16534CB3E579066F878FF,SHA256=30A4F9186C68B5D65AC3E79E7EE5305B2800CC85C7B63C3B69FAEE6FF77258C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287201Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:04:50.905{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF51DBED3FBBEAA5E818B2BB2EF23355,SHA256=52E1840E8FBBD9D84AD158CB6E7E19011CF3F7DD0492CEC6D1FB5ED9B9D31B3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381216Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:50.680{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D8FB7684A374C438D964DEF4279E8FD3,SHA256=DC0EEBA8FB0C0912576D8472A9DC17F898F1FA670147B6F88242CCE474185DB3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381215Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:49.490{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-41033-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381214Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:50.428{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBC9630C29D66C312F8D512D8EA18744,SHA256=D8A7A83DE47EA4F8BEFC8DFF284239194DEE5760A332E261D02DCDA41422E6A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287202Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:04:51.921{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EADDD59A7CFC0CA3F9AC7AC2169545D,SHA256=42FC627C423C07A794A8E5E0BA2560B1005520C17E111DF841AF9F722CBE8F55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381219Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:51.795{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=44CEBEFC0904FBAD5DE6EC82F99E7BF8,SHA256=11931A4E3E870AAFAACE8BCF4127E78DDE6D7EC1DCE82263FAEA8CCB1F840897,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381218Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:50.612{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-48970-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381217Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:51.446{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A973DCFB9988C3C870154B4FB6001E6B,SHA256=717332086D2BAB8EA823263D2B60333E532B785A106136B941C92B134162665E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287203Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:04:52.936{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79DF3EAF9401696837A86884965704DC,SHA256=F0696987FF47DD3BE5FE8D80E05A8450248AF4029AC15BCC24CD68FF61A43AE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381221Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:52.994{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B64695C7DB7FE3DEE2F43E3421374080,SHA256=B5C52A144E93E86D6818AA9549139D435C559B4CB794FBE110FDEFF5C0EC621C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381220Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:52.463{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=230AAFDEB3F32409DBDFC6945307181A,SHA256=9C937D6715980FDE1C3AF2DC66530FD8074EF6CE4A63F3A1818017574AF4BD8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287205Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:04:53.952{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BC7E40F3DABB75427E58ECEF24C1EFD,SHA256=4775EBBF46EDF26ADD5AB3AA6E5EFF575063D90EAA5EFE705CD1FD42BD671A18,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381224Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:52.874{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-5115-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381223Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:51.707{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-56851-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381222Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:53.464{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B34F5B6B14A577BAD4042B1970488453,SHA256=0186F491A563A5506F720823E54012E3D83545126FB846924BD89167C40C4E98,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287204Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:04:49.491{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61519-false10.0.1.12-8000- 23542300x80000000000000001287206Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:04:54.967{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F564C437287A61647421F25E048FD550,SHA256=A392F8988A6F5D6A9187F438011DBDAA45700F2DFB1DAB83FFD7ED058BD7D58B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381227Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:54.009{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-13178-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381226Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:54.479{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A01B9BFE5B2FB96E3AAE3699508441B8,SHA256=4FDE3C682B459C8F83725660541A192D0D0A6B2161FE4B26486D9EB2A8FF5B4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381225Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:54.079{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=14F9B883BF46693F9F5D04F628FBD299,SHA256=A9D5022DAB9DF5468A45B154AFD2D64D53DA721F2A927D9FB57F5B0D418A7BE7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381230Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:55.115{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-20794-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381229Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:55.493{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55BF24639CD9B371B412B5C74397876F,SHA256=60513DABA99E3136CCB727355DC25ECE474198FE06BB0B767155C88BBE78FF2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381228Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:55.244{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=89C27B1EE9FA68F304B3288A830CBC8F,SHA256=A354F9875C341DFD01B8FDB8710E41EFAB8AED26A61C0426B500B8513876BEA6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381234Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:56.255{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-28838-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381233Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:55.236{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51255-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001381232Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:56.561{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A228D248A6D3FD0E28C70B43A6B049E,SHA256=A384B8E74748A3CF97C047411B13B671A39680704F6E06A6D7742B8CFEFB75F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287207Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:04:56.186{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C96D5B3CEB097D9022E60526B94D7E2,SHA256=FE14EA18DBDA48F4E7F7646CB88F8D94B751088C9A417BBE084D1DF05C391709,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381231Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:56.342{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8317C067EB8CB8E2C1DAD0DDB1025C26,SHA256=F23E8B60DEF2C2FDA17DB981F248C9A8EBE1D8E7ACE045D89533A1C40B1CCADC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381238Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:57.521{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-54261521-false10.0.1.14win-dc-429.attackrange.local49672- 354300x80000000000000001381237Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:57.366{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-36005-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381236Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:57.623{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2793E80678E6DA4E6858C4E81EF5B908,SHA256=89AA2D576C18ACC861DD189A217FA991D35CBB009409E12551D9CFCA30BCF911,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287211Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:04:57.511{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3E2E498AFB31A67129D4CFDAA6F084E6,SHA256=BB5A8D7C6BDE1290069ABE297551492EEAF5D325349AC4A249342E2BF7DDBD86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287210Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:04:57.511{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A5C1A256362A4D8148E5378119682B1B,SHA256=99254CACC7E8AF7AF38896FA908AADA7CF9C85959DD23BB7E9A674DFA791CADE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287209Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:04:57.417{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E4F1E080FAE5071B8E767D12704B0FF,SHA256=F94CECC9E35C5FD6F59E1004A8CDBA82BAB111BF370126448380E84821A69413,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381235Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:57.460{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DAEA243D8337A92F09E860553FD251B6,SHA256=086A78EE95C85BCC006466356CEDDBBF31033B4C3F014775A5ADD8B184CEB009,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287208Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:04:54.276{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-27499-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001381243Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:58.474{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-43782-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381242Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:57.589{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-46486-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381241Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:57.551{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-46383-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381240Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:58.659{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=092846111CEE750D9256775B9E6C43A2,SHA256=E7CDFC66602E19582B58C804DE7AFA42A6FAF7B12E732306C33A21261370F014,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381239Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:58.641{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D46732DF4DBCB65B4B901FE5F206078,SHA256=6D776819B1D5C8A8DF83DDB684FF45CE7A0D13C030CBC299C7F6E1694FD0D599,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287216Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:04:58.589{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3E2E498AFB31A67129D4CFDAA6F084E6,SHA256=BB5A8D7C6BDE1290069ABE297551492EEAF5D325349AC4A249342E2BF7DDBD86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287215Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:04:58.433{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B59BBDC44731C9F0D077E8F8787460BB,SHA256=FE874CC8E4CA2FD1EB8575E2FAE3F60BDD232D013D40092B39CB9E0099A4A11F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287214Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:04:54.850{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61521-false10.0.1.14-49672- 354300x80000000000000001287213Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:04:54.584{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61520-false10.0.1.12-8000- 354300x80000000000000001287212Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:04:54.301{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-27625-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001381246Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:58.721{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-50915-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381245Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:59.741{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60924AD7A45FDF3A2E82750BEC3FBE46,SHA256=950ADE8E120D41DA928BADFCC79B47F014198680B91C824B611B58D0DDDF7E60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381244Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:59.741{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3D37372FC5DCF81B5B6F6FB852E22A5E,SHA256=D1389EEE6AAEE0273DB0F2A4F68AD7495733D6133ADBC5035785B4A1BB9146D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287218Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:04:59.746{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4D5C7CF37C0FCBD00CE394686481F593,SHA256=4BB887FBF97DC1E68BDA675BE05A3D0016F4B4A2B0B7B173495DDA8751C799A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287217Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:04:59.449{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4789AA6C1A40C663AD2A6B3878035C4,SHA256=02E30177DB87ACCB44987FEBAC67DC721C3E84BCF81309D41F63C0DC8AB8C14E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381250Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:00.973{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9EB75B5657CD026A730B7297C2ABB1A6,SHA256=1DD369A145CC61EC72C0A6BC47EDC05729BCF57C467029B67C34CF400CD751B6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381249Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:59.835{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-55353-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381248Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:59.672{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-51711-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381247Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:00.773{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C65ECC7F07C862F07CC29E2DD59450E0,SHA256=D840463814386C43D0E923C2AC6C93E6B0078FA1945C1602C5BF361E904D6262,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287221Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:00.464{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29248A40C8FF7242598ABA31807D69B4,SHA256=3CFBC5B19842657A84B76775485F6AA5F70802E4AB85558FA92FB51A344E2945,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287220Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:04:56.999{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-40812-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287219Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:04:55.882{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-35186-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001381252Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:00.785{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-59338-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381251Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:01.788{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB31A26365594BA97B8C1821629BDA12,SHA256=56FF7EFCDB06E05C089FD5835AB14A0527D102D633DC34AD5C3D86ACC6AE0555,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287224Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:01.480{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=187780E659B4BCEB53390764D22B4162,SHA256=4115AB99A0043ED4F54C8BD6C809796CEA3FB344D40DC1EEF6482F0EF040F354,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287223Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:04:58.117{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-46816-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287222Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:01.058{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=800F6124E8FFB1DB75CABB4FC5180C9B,SHA256=ED0ECE23774207F3CABA32F995810A4D0090BC776CBA5FDEBD5F244C12E93838,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381257Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:01.985{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-8236-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381256Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:01.027{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51256-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001381255Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:01.001{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-59837-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381254Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:02.819{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B09669A7D6B8B5842ED558DA11F73A0B,SHA256=D2850B1D3BCADBB5E50C39DF388388EEBEC0312EC16357DB93FC0ABF29366B88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287227Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:02.480{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F45F0E46A62E194C49D4DA6EFC8ABB2,SHA256=0FFFFF0CC2B8CA1E33EE9E39DB71086AEA7665A11844C4F76E01FAB5A945CC3D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287226Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:04:59.430{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-53446-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001381253Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:02.088{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C38DE5019540CE0868B1D5FAAE9EAD62,SHA256=11CAB5C24CE7C0D70B662E5F58999D1CB2FAFE29A7AB65ACC3060BBE494EAA1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287225Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:02.152{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2B27F1E4FC6133B9DE981FE5B922F835,SHA256=1506D03D0639F16A1C4AE30811A50D61FD378716501E16D8543277D56D8A0235,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287230Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:03.542{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C5D241BEACA83149986A6717CE58B9B,SHA256=25E3603DFB4A672379A4CDC8CAF15C1FEB681EFB705AA6286983F14C8BCCE5E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381271Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:03.115{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-15917-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381270Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:02.146{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-5343-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381269Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:03.819{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9951558DA2D79B0F1ED75B309F7E3DA3,SHA256=C46521FBFCEDBEFCD4599883F7FBD0EB7D27F89B54D20A0DCDEACAD071A8D440,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001381268Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:05:03.587{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001381267Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:05:03.587{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x05193dc8) 13241300x80000000000000001381266Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:05:03.587{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b43f-0x8a6a8dd0) 13241300x80000000000000001381265Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:05:03.587{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b447-0xec2ef5d0) 13241300x80000000000000001381264Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:05:03.587{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b450-0x4df35dd0) 13241300x80000000000000001381263Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:05:03.587{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001381262Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:05:03.587{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x05193dc8) 13241300x80000000000000001381261Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:05:03.587{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b43f-0x8a6a8dd0) 13241300x80000000000000001381260Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:05:03.587{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b447-0xec2ef5d0) 13241300x80000000000000001381259Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:05:03.587{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b450-0x4df35dd0) 23542300x80000000000000001381258Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:03.203{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DF2C01CD11ADED2DE9ABB22F728DF122,SHA256=00B2CDE43442153B4D9229AF95D49DCF045C549423E3C8CB43B6774AADD26BFC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287229Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:00.503{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61522-false10.0.1.12-8000- 23542300x80000000000000001287228Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:03.308{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=478ACF8DA4A21753A1DD94C435E45E88,SHA256=3251F894D2445B4C0E67A57F8405854AEE16EA1DD30FD276AA8E52A8BDF97EB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287233Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:04.683{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDC6BD6B0F9351D2B75C957D682CD776,SHA256=621CD4D5A9D0730E3CEF3C445F75CBB8D58FE8BC688E35472458D8AEAD8196F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381276Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:04.368{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-13953-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381275Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:04.363{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-24130-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381274Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:03.245{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-9678-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381273Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:04.855{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60C06FD9E7F84E6DC55AF51D8A003EF2,SHA256=98BF4F8585554B60E49B3C7DAD2B37F177FF6D335CEEE6AFAB371906BA656226,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287232Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:00.562{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-58987-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287231Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:04.434{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9B7CC1DF6B6D52B4C732DBC33A583034,SHA256=A48E3D272F1B77011E70579CCAA34B27B584DE2C792EE13B7F792A2E0DBC0158,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381272Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:04.437{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=62A3B9511DFFD3C1F110E897516133AB,SHA256=792E6EB9B86C376A5A5728124FEBF584C7990E17AA0F2ED92106196AF62159E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287236Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:05.917{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E2EAB11787682133071B100E0D94CB9,SHA256=889448FFB909C8130F047790C3531F72D3672919E6A998AE3ABD0F4618121F10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381278Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:05.901{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBFB96A0534260C6208334D2FE61C50D,SHA256=6EAFF1948AE43246185BB73C1CE03A573E474EA72FE8A776BBF4D86B244D23E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287235Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:05.589{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C192F1A62AFCB5910055CB7F580BC3C2,SHA256=6F7DCDE8C3C1A884AFC5DF6B2A25978FF483A0EB7CAF58B9BD7A5AB5CD39A65B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287234Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:01.711{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-5881-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001381277Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:05.517{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=182E7D074D0396F646195ADBC8977855,SHA256=2CD7E3E3A6E172C5AF908D33B7C843988E3FFA22B3A86819C6A2F9C7B2D70A18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381282Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:06.916{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4575769FE14F0434604C64EF60D82631,SHA256=91A209F75AD4FF81D6B84E92AB8E5123C650C5CA12AA9D994146BDEB0AC22F78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287238Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:06.714{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C45F662A34A00A1FE2DDA991429A5927,SHA256=9DF068BF726C25A8D83732F93DC1D87553EB8D1DCB16F9961CD21DDA07840304,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287237Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:02.869{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-11380-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001381281Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:06.616{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F704E7348B0DC7E5C365675597ED313,SHA256=C1D9B0490C332010590474C49D0EE7442384DA12AEF3FB3DD541C199C09BCE12,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381280Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:05.660{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-32625-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381279Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:05.445{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-18297-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381286Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:07.934{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5987358800C5414CBD159785892D9703,SHA256=375EE608196951B3700366CC4B44D32F7D49CD2187833411680718434CDF41A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287240Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:07.886{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7416F28D9E00C8524A604068CA676A54,SHA256=E0F4B642BB6822658A335AAB8A8E51A366086502DD9D12BFA80E5DDD3D56727F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287239Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:07.042{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7A847654B4CEF4102045E6FCFAE35FB,SHA256=093531EA59B8822E06FEA150BE320DDAC829DC4070DBB5F0279081278BD38087,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381285Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:07.768{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=845268B7076F8753EC130FA092B51C05,SHA256=90D2890CD0508F743E0F106B12CAF77B2B20AE3694D0EB7C483D039E596C23C9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381284Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:06.528{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-22555-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381283Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:06.108{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51257-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001381289Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:08.951{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A414120CC9D7BB730492CC15AD4BC86A,SHA256=5D9EA932126527966C14EA7B572B9B5F1979FC0B0F03910D165983150A954012,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287242Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:03.977{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-16991-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287241Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:08.042{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48F7181975C970B5506EE76D1BBD335C,SHA256=828EA4B26AB141074144FEC7B5E848437286817D9565B99099E17D4C3F3FF5FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381288Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:08.883{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D95B65A718C6AACD9399C22EC377493A,SHA256=254B1E07F8C160A2260CF9942CAA69F870D0FB1BCC70C3A2BFC6581519446B4C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381287Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:06.933{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-41350-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381292Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:09.966{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F16F0E9FE153D0FBF65FACD96B5D053,SHA256=CE1AE7E4EC151B50604A74AAB63C5AD1A606BD68D0B79BEDAD286E5BD65D53A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381291Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:08.211{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-49877-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381290Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:07.643{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-26805-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001287246Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:06.271{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-28114-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287245Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:05.130{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-22747-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287244Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:09.167{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A7EBA3C73A517A9A6E23A39B82AE4DA7,SHA256=019549E0835644DB53E9B55E825CC0A65C70534B725DDB4EC1C213AEDAF284DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287243Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:09.058{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03D2D803D75A35D640E71245827B5821,SHA256=7C826DCECF0FA0F29289FBF2C2DE12ECA01922A605EAD05A336083444A78F1A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381314Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:10.981{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A19B9021A9EA903EF6D865CC1C8FB99E,SHA256=D64C2599E317BBC3A7308B22AFAC6F1FEB97B908A4D0B4C9AD9929CE35D31237,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287252Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:06.519{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61523-false10.0.1.12-8000- 10341000x80000000000000001287251Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:10.339{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1500-00000000FD01}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287250Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:10.339{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1500-00000000FD01}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287249Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:10.339{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1500-00000000FD01}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001287248Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:10.245{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6FDCB8941EE9A9DF26BDED7CBD7042F8,SHA256=00D020C504878761C83F1112398893FADBFC544E11D6C603E5C32C2986861BD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287247Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:10.058{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57E01837893B08D2CC42BCDB82559726,SHA256=FA9E388770DB564C0ACF4FFC52B91AECCA4F8DE901CB74FDB67D0F5580E2DBE9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001381313Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:10.812{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DAC6-6152-1A28-00000000FD01}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381312Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:10.812{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381311Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:10.812{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381310Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:10.812{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381309Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:10.812{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381308Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:10.812{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-DAC6-6152-1A28-00000000FD01}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001381307Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:10.812{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DAC6-6152-1A28-00000000FD01}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001381306Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:10.813{5EBD8912-DAC6-6152-1A28-00000000FD01}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001381305Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:10.729{5EBD8912-8CC0-6151-1100-00000000FD01}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=E7228B361DBDE5C84B9DC386EECB5C26,SHA256=7AFB33A6413B32C91D07E4F25B518928B7E0EC5579771AE9FF8EBDF0E9788D5D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001381304Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:10.313{5EBD8912-DAC6-6152-1928-00000000FD01}30207072C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001381303Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:09.365{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-57533-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381302Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:08.791{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-31155-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001381301Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:10.135{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DAC6-6152-1928-00000000FD01}3020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381300Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:10.135{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381299Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:10.135{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381298Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:10.135{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381297Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:10.135{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381296Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:10.135{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-DAC6-6152-1928-00000000FD01}3020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001381295Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:10.135{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DAC6-6152-1928-00000000FD01}3020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001381294Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:10.129{5EBD8912-DAC6-6152-1928-00000000FD01}3020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001381293Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:10.013{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A2FC184C1147CC3D472C90EDA32AD697,SHA256=10BBC35B6290257774FEC0EE60934614AC821EC7067831B78983EB7D727D7A74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381320Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:11.995{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D95CE1B88CC139DE11BE3158D72D5E02,SHA256=6B0B5898EE3FED1F344A9A9F2FDB01C823FA42C591D5E5C8A61E9A107BB7DEB1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287269Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:07.540{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-34668-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001287268Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:11.652{69CF5F33-DAC7-6152-10A1-00000000FD01}19241972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001287267Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:11.417{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C3312A3E438770D71328B75B6CD84CAB,SHA256=3434A56B7ABF433D324699A49B8A630D8298DB5E0C5DF9762CC5C80C4C054F6F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001287266Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:11.371{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DAC7-6152-10A1-00000000FD01}1924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287265Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:11.371{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287264Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:11.371{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287263Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:11.371{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287262Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:11.371{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287261Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:11.371{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287260Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:11.371{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287259Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:11.371{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287258Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:11.371{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287257Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:11.371{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287256Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:11.371{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-DAC7-6152-10A1-00000000FD01}1924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001287255Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:11.371{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DAC7-6152-10A1-00000000FD01}1924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001287254Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:11.356{69CF5F33-DAC7-6152-10A1-00000000FD01}1924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001287253Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:11.074{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9D6F6AB6BB37CF925BE123BB8FA7EB8,SHA256=EBD55E958B8C0B9E91385B9CC6FA301B4FA72046F77DE04F137033EF7068FDB3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381319Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:11.023{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-39713-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381318Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:10.722{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-7100-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381317Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:10.184{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com40603-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381316Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:09.937{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-35642-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381315Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:11.096{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B26EABA7FFB1A560D0226A56C69C706E,SHA256=0746CEBAA86B673569159640727D3438E16506007BE9C2B64EF0168CDB43AA51,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287300Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:09.804{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-46271-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287299Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:08.619{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-40276-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001287298Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:12.714{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DAC8-6152-12A1-00000000FD01}924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287297Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:12.714{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287296Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:12.714{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287295Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:12.714{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287294Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:12.714{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287293Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:12.714{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287292Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:12.714{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287291Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:12.714{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287290Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:12.714{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287289Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:12.714{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-DAC8-6152-12A1-00000000FD01}924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001287288Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:12.714{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287287Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:12.714{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DAC8-6152-12A1-00000000FD01}924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001287286Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:12.700{69CF5F33-DAC8-6152-12A1-00000000FD01}924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001287285Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:12.652{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5D45632EE4F9F2FCD3CCA81AFA0E5337,SHA256=719CF953CB9054C6AA41A93430EB8FFEDDBD2C7A000EFB9B7A7C596B8335919E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001287284Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:12.355{69CF5F33-DAC8-6152-11A1-00000000FD01}29041012C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287283Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:12.090{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DAC8-6152-11A1-00000000FD01}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287282Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:12.074{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287281Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:12.074{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287280Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:12.074{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287279Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:12.074{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287278Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:12.074{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287277Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:12.074{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287276Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:12.074{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287275Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:12.074{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287274Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:12.074{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-DAC8-6152-11A1-00000000FD01}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001287273Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:12.074{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287272Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:12.074{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DAC8-6152-11A1-00000000FD01}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001287271Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:12.043{69CF5F33-DAC8-6152-11A1-00000000FD01}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001287270Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:12.074{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AB2D362B49AB4A5221CF4F07D2D1AEE,SHA256=FEDE7D85617D172D7C7E3DCA8DAAD2E2BB0AA41B0AC47DCA2950F7BB2C0E19DA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001381331Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:12.895{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DAC8-6152-1B28-00000000FD01}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381330Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:12.895{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381329Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:12.895{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381328Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:12.895{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381327Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:12.895{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381326Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:12.895{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-DAC8-6152-1B28-00000000FD01}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001381325Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:12.895{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DAC8-6152-1B28-00000000FD01}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001381324Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:12.896{5EBD8912-DAC8-6152-1B28-00000000FD01}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001381323Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:11.867{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-14209-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381322Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:11.219{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51258-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001381321Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:12.229{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=72051C7FBDFDC120A4E1B2A8BE4651BA,SHA256=715233C99A42FDA89FE14AA11426C6BCF88E96E301725A1FF10E0E0226A4FAAE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001287316Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:13.857{69CF5F33-DAC9-6152-13A1-00000000FD01}26601500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001287315Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:13.745{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=893B20B71A08CB999298EA4DBBFD048F,SHA256=900400AAB68A7E5A8950338EF2EDE281384C34B57C43609213FDDEEEC8E5CB2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287314Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:13.605{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=865AF360BEFCFB07D16C7578CD391F39,SHA256=1E8C0E3057DE824517E74F39F83C8F94CA866008B07EA5051D930CF281D227B9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001287313Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:13.605{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DAC9-6152-13A1-00000000FD01}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287312Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:13.605{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287311Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:13.605{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287310Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:13.605{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287309Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:13.605{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287308Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:13.605{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287307Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:13.605{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287306Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:13.605{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287305Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:13.605{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287304Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:13.605{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287303Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:13.605{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-DAC9-6152-13A1-00000000FD01}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001287302Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:13.605{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DAC9-6152-13A1-00000000FD01}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001287301Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:13.590{69CF5F33-DAC9-6152-13A1-00000000FD01}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001381343Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:13.411{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DAC9-6152-1C28-00000000FD01}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381342Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:13.411{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381341Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:13.411{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381340Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:13.411{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-DAC9-6152-1C28-00000000FD01}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001381339Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:13.411{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381338Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:13.411{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381337Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:13.411{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DAC9-6152-1C28-00000000FD01}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001381336Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:13.412{5EBD8912-DAC9-6152-1C28-00000000FD01}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001381335Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:13.395{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F7AED805BAEDB999F575997F6E674E61,SHA256=C11905C58845ECB7F3A0E5BC22A59E34898A72A9545607CF4C1F0BEAB9C2B685,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381334Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:12.121{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-43934-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001381333Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:13.064{5EBD8912-DAC8-6152-1B28-00000000FD01}65846636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001381332Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:13.011{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C51499E8B746E30173B58779463990E1,SHA256=1AE033C62D9D58A358D53ECF3C7F7ABA8EE035C02027A4339BA171F330B83662,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001287342Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:14.980{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DACA-6152-15A1-00000000FD01}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287341Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:14.980{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287340Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:14.980{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287339Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:14.980{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287338Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:14.980{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287337Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:14.980{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287336Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:14.980{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287335Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:14.980{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287334Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:14.980{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287333Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:14.980{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287332Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:14.980{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-DACA-6152-15A1-00000000FD01}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001287331Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:14.980{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DACA-6152-15A1-00000000FD01}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001287330Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:14.965{69CF5F33-DACA-6152-15A1-00000000FD01}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001381346Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:14.411{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=86437961920D7B75D7D8ED2648AD3E52,SHA256=318F51D4EA120593B41E66DF196EEF7E0BDF56E349946F3E575D9351978E7050,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381345Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:13.023{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-22246-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381344Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:14.012{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E3F291913A7AA2265F5264290D1415A,SHA256=FB8F9973C2B42FBF5AB87637803C05B65486BFBDF7085C294FAF5AFB5C80D805,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001287329Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:14.292{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DACA-6152-14A1-00000000FD01}3248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287328Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:14.292{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287327Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:14.292{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287326Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:14.292{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287325Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:14.292{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287324Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:14.292{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287323Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:14.292{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287322Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:14.292{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287321Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:14.292{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287320Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:14.292{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287319Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:14.292{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-DACA-6152-14A1-00000000FD01}3248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001287318Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:14.292{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DACA-6152-14A1-00000000FD01}3248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001287317Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:14.277{69CF5F33-DACA-6152-14A1-00000000FD01}3248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001287346Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:15.199{69CF5F33-DACA-6152-15A1-00000000FD01}24083384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001287345Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:11.056{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-52500-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287344Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:14.980{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9FB8ADBB103CD40D32912B4C4EEF1FA,SHA256=1C393645AE6E3E34BD542D42AEFC214A6CD7C4F40789F09CD54095F9F64632E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287343Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:14.980{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3096FAF964270A56B73292B96CD2E258,SHA256=81799C5C84852BD8B57FA15A01E7D8E5B9CAA638CEABB3BCA8D5693143243627,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381351Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:15.610{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CE1B92849F085F52541CE52B872AE2A2,SHA256=D02325CA3FF984CC18FB76B66540493844AA81269024872D7F65DC3FD9C1CFAF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381350Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:14.438{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-52999-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381349Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:14.109{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-29868-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381348Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:13.336{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-48622-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381347Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:15.030{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DB0FD86F548CB76F84EC3DAE27A48ED,SHA256=5EC3AC74372AAEA40471598A7DA8D2F9D04EB4B87D74FFF257004CEBAD8953E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287348Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:16.120{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=242628D39CBEEFC5300B0253E4532AF4,SHA256=7214642767A1FE6E0B4BD9991EFEA884E99C591817A54CF79D8977F924985FD1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001381362Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:16.794{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DACC-6152-1D28-00000000FD01}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381361Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:16.794{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381360Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:16.794{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381359Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:16.794{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381358Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:16.794{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381357Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:16.794{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-DACC-6152-1D28-00000000FD01}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001381356Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:16.794{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DACC-6152-1D28-00000000FD01}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001381355Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:16.794{5EBD8912-DACC-6152-1D28-00000000FD01}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001381354Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:16.728{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3352C050B5D087D5798A83663E5249A5,SHA256=50EAFF2C7FA7BBD0377E053727CADBBA62E3C8D478DBAA21AED6533C381E4D33,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381353Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:15.192{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-37469-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381352Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:16.047{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3086A1429E49857FD32D29FE4F65071,SHA256=28E2EE4A531A3001063BD81819D7B0745C0C1D2C9853A45D46E4B95DACD53428,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287347Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:16.074{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=929C31CEBEDEC0A8A7F0CFB06D7D4099,SHA256=AD720D35357E71F8AC899C005F3B4354BEF0F5067D76284D076C9BBEF21B0903,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287353Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:13.305{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-4804-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287352Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:12.503{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61524-false10.0.1.12-8000- 354300x80000000000000001287351Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:12.186{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-58242-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287350Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:17.136{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ED95F72B44E21CEA6C6F2AA1A480BE67,SHA256=F0D5FA7EEC371EAD309429E8868AEE7F4B52E36542070A5324850DFDAD09B319,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287349Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:17.136{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2008441870CE2195A0EE9BCB39D6453,SHA256=BEB898A3E035E6EB5174DEFAFF02B55ED930C8A2AFDBD8908F4C9DEEB9F5B541,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381376Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:17.763{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D23C1324AAB14646C696C494221756A9,SHA256=03DB7AE45B94039F76F4D8C5331043EE7FB615552082A17F1D51CA784D021351,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001381375Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:17.630{5EBD8912-DACD-6152-1E28-00000000FD01}7001840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381374Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:17.477{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DACD-6152-1E28-00000000FD01}700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381373Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:17.477{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381372Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:17.477{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381371Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:17.477{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381370Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:17.477{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381369Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:17.477{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-DACD-6152-1E28-00000000FD01}700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001381368Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:17.477{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DACD-6152-1E28-00000000FD01}700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001381367Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:17.478{5EBD8912-DACD-6152-1E28-00000000FD01}700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001381366Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:16.502{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-45960-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381365Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:15.539{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-57252-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381364Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:17.093{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D443F797BD020AF77206BB307F8A6FF1,SHA256=B207FF63ADC832A16B147130B970C71883CDADD94C1F46134610C9893016941F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001381363Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:16.994{5EBD8912-DACC-6152-1D28-00000000FD01}70287024C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001287356Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:18.453{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6095B6D2DC0739A2B54D452E93CE7D3D,SHA256=CD1AC8518A39BF5FD386444689B519FC2C49F578395072F776A033C5D050AB0F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287355Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:14.398{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-10292-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287354Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:18.141{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89CAA0E32B075FB7036FF5279D36BADC,SHA256=DAB97E0D7A8D69204AC1F6D1270B87FA16D748890CDE3044857104CE7D5CD169,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381380Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:18.927{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F7F7AD0FFFBA2B75E5FE50B13B959357,SHA256=FEA99A17242459F4EAEFDAE77F737A1C7CA52A249CF47B28AAB0D5F3862F1A03,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381379Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:17.068{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51259-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001381378Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:16.633{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-2520-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381377Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:18.131{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=819DF42FF1C022A5987ECB0742CEE454,SHA256=52A7DE01996B12EE8D1A2AA63FB5807FEAEF0F598A2EC08E4F86BE6DFBC1895A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381386Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:19.976{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=566AB550A9D019E946E00ABDF6CD7E0A,SHA256=E5D791947FC0B485E9EA05A143A8F75D2F8DA6A53E8C12AD724CF48B562F9CF7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381385Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:18.820{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-10904-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381384Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:18.791{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-1547-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381383Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:17.737{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-6806-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381382Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:17.607{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-53097-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381381Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:19.145{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAF85FB41E285EED895C4C4A2E72414A,SHA256=D77D54372ECC6354DC828294CB87DCE0C849493D5EB49AF8644AA95B003C62FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287360Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:19.657{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=00F1EDA83BF3613C1154D82BDF202FF3,SHA256=760468ED759B7AC51FBE5984CACA53E696D3B98F7B22907677FFB7F879451FAF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287359Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:15.568{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-15886-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001287358Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:19.172{69CF5F33-7F27-614D-0B00-00000000FD01}6241444C:\Windows\system32\lsass.exe{69CF5F33-7F0C-614D-0100-00000000FD01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000001287357Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:19.157{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94F83E377F3AB23228AF14A5C80F38E9,SHA256=81BAFFCF7C2F3C2926D73A4E07FB26775B1E0BBC95C8E974E19CF3AE5725BB18,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381397Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:19.920{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-10039-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381396Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:19.904{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-15183-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381395Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:20.160{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CF81FADD6A68A0D588DA4C31D3ED060,SHA256=AFD126F8D80BAC15DD20815864217F1B60844017475FDF3F7A79E81998BE9802,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287363Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:20.782{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A31BABA9C0F877E0271DF05B712F5E79,SHA256=C195925A139B387EA04D99C7FE12D079FA7D2779095C8FDE4137D169E5DD3EE2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287362Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:16.912{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-22086-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287361Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:20.157{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=670E1DD1C8F614D87C9ED29FAB18824E,SHA256=37B4B28F0AE5C8A6C52297733B8391ECDC05EC57D1051BE1DD87752C3FB18AB0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001381394Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:20.091{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DAD0-6152-1F28-00000000FD01}5572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381393Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:20.091{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381392Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:20.091{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381391Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:20.091{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381390Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:20.091{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381389Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:20.091{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-DAD0-6152-1F28-00000000FD01}5572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001381388Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:20.091{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DAD0-6152-1F28-00000000FD01}5572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001381387Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:20.092{5EBD8912-DAD0-6152-1F28-00000000FD01}5572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001381400Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:20.198{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-54261525-false10.0.1.14win-dc-429.attackrange.local445microsoft-ds 23542300x80000000000000001381399Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:21.161{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DB53578B7A664B94159E3D62A2331A3,SHA256=C00EAD19B5F3EBD5B9C329E552886FECB2C08517A28D68B364DCFD699B65F1C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287367Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:21.860{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=55E12DD91E4DFEA6B784BD5961304696,SHA256=F6A1B6F3628261002828C7CEF2285212A3C09E4A10737814F65155BF732721BE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287366Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:18.033{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-27616-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287365Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:17.527{69CF5F33-7F0C-614D-0100-00000000FD01}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61525-false10.0.1.14-445microsoft-ds 23542300x80000000000000001287364Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:21.172{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA82AB095FE422AE45737B6B22F393F8,SHA256=602D796CE9DE978DC6577A8342E753E8E8B6A2CCDA4AA9E5B2A31B445DA5F137,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381398Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:21.092{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6BF82BF0AF6B3987CD15196ED0BE9478,SHA256=758625E3EB877F8B9169F99431DCAC4A188278056DCC41A455392BE2425E1AC6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001287383Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:22.594{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DAD2-6152-16A1-00000000FD01}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287382Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:22.594{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287381Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:22.594{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287380Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:22.594{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287379Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:22.594{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287378Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:22.594{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287377Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:22.594{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287376Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:22.594{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287375Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:22.594{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287374Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:22.594{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287373Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:22.594{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-DAD2-6152-16A1-00000000FD01}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001287372Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:22.594{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DAD2-6152-16A1-00000000FD01}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001287371Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:22.580{69CF5F33-DAD2-6152-16A1-00000000FD01}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001287370Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:19.153{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-32894-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287369Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:18.508{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61526-false10.0.1.12-8000- 23542300x80000000000000001287368Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:22.188{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D294969C3E40D2BACED8F9408535D07,SHA256=7A8F4F6E2A78BD27C761E0853D2F100A9D8284A640E518663BC2D4CE9985A781,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381405Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:22.119{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-23426-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381404Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:21.049{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-17754-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381403Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:21.001{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-18944-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381402Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:22.192{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B00249FF48E0CB9C8594AAAE801B9A6E,SHA256=6877B3E005A22D5A641F2F3836EB79BE236F7CD5DCAC6A598C6AC86CC0203468,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381401Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:22.176{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B0CF39F1B07280DAE6612E9D19BDF0B,SHA256=D575DF76DC19B6ACE0BBF005A00B0FFF2A4DED410020D694CDC3AD9F0AC31E91,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287386Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:20.283{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-38443-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287385Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:23.203{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2A9DC8249CB26326F1879C3EC808031,SHA256=8DA3826C2D0BBF6B8014DB65199ECAAB7947EECAF77500D7ABC7445044AB3CC6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381410Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:23.202{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-27528-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381409Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:23.034{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51260-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001381408Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:22.189{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-25642-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381407Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:23.275{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=72B9E4BF6C47EE433D527D0E49A610FC,SHA256=D3287BB4B3E80C09663AC0C7C92B55E5CACD344FB8E250E4DCC0B687BEB20B58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381406Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:23.191{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8401AE5155B331640FEA8771E44308A7,SHA256=4F3248B289C8007E53A4200675CF8E1D80BF718805A98043AC48C165C8D2A3D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287384Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:23.016{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=47851C7D33AE47FC14B5B4D33147382F,SHA256=A129AFAB72CDDC9AB8BE5797326895DF7FCDE54412FEB1E42421A2BE3928A99B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287388Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:24.203{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2342692F3F1E56C34485F296C78A2121,SHA256=B5A28815DFB0886C582EF38354A946043F04AACB8960A6C7152766B7748B48FF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381413Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:23.337{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-33243-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381412Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:24.424{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CCB03E1C2C597983C1DFAB83D2ECE499,SHA256=B231BB912FD4275C7238576457E17FB7889FDF001FEE16401C8222683C8C4C60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381411Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:24.205{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3965BABA4C6A1E4931EB8DA42EAA071,SHA256=1A7BBB7EFA236D524B70040C5AB10C31C0BA740C631A8547C9A73156D58815C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287387Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:24.141{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0E223053224A83FC9B600893D69B3A13,SHA256=1732A98F00FC3D989860BBCF465A3DD277048B2FABFC747EC599B390A7E99FD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381417Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:25.541{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=83EB28C3F9CDB59202F761CCCF64557D,SHA256=C2DB29A760528FAA18420FC6A93E2C9FE94317DAC6E4C1235E9567228C387B9D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381416Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:24.422{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-40856-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381415Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:24.301{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-31777-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381414Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:25.223{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=167FEA9C6F361ACF3E67D7761A098761,SHA256=76E963CEDFFCA48EF2872A205EA72748E1051B3ED2274D749F877158A3DDC117,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287391Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:21.403{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-44029-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287390Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:25.469{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=28FF3F8F25499B183611995AEA08322B,SHA256=E131BA1A9769831A62591BC263669FBD808A4FA3A5CAAC81D1129115F2296129,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287389Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:25.219{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1290A117A92A6C6D911054B51CC02EC,SHA256=C8693E1F4C279A1B10C27CFDDCCAFB8B2C50DDF1970668AB627B589ADE7A2F95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287394Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:26.531{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A8A14315E3CA1162A454E1F7E4ECDF3B,SHA256=84FF9B4F40853F533D8BD4B2FC16F4F5B79D277028D3325DD7BFEB171581A1D8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287393Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:22.608{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-50278-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287392Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:26.235{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=457683D092DEAA0140CC7A8CCC696526,SHA256=A586FB2AB7027206FDE0A327986910405B9FDBD36C482B0F076DB3E169E9CF30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381421Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:26.621{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE738DDE42F21E29654FEB5415900C7A,SHA256=D5C865FC290EF4E9DEAFAFD6D1BF5EDF3FF9BEE623806FAA04766316B1D7527B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381420Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:25.605{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-48897-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381419Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:25.446{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-36179-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381418Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:26.241{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2990C03ACED3E8B736DF7CF0E358001,SHA256=F316DDDCB77351555EF5F50E0AC2F17101B8F67EF784E8885E6B2B23865C7EDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381425Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:27.702{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=92E04492E77D8B3AA1C3A37814C86FBB,SHA256=C731EEF9A9060D79F8BC64546BC40C03689BF72622A79B52B41D3845C66A095C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381424Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:26.859{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-57194-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381423Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:26.553{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-40621-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381422Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:27.271{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6CB60D3985445863779368E1FDD691F,SHA256=FB500E3817CAD78578CC11656D4CE5FFD6C8077FC0C5DAB60228B4B48ECE0234,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287398Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:24.445{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61527-false10.0.1.12-8000- 354300x80000000000000001287397Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:23.841{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-55952-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287396Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:27.625{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2D571A1021BF841820CA75F1E11278E0,SHA256=00E5454EEA059DEA979F0EABED77DCB72E5283BB27FEDB74618AD5D7B70E54DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287395Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:27.250{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0739F557646A27CCBDFE52DD9130D25F,SHA256=A9A2DC7D9DB5BA40BDC842996C1875D3715C619B61A28573AB3BB121659789B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287401Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:28.719{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BCE32A3ED40D0B1FA0C42F739A3537E4,SHA256=3525B3CB0C2590FC6B5A7404DD5E933DDB4B13671F1B2531E939A0F5DCEEE02C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287400Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:24.920{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-2767-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287399Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:28.266{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAE376DF0EDFC8BF3DD35C54ECAE3FBF,SHA256=6A494DACD07FE1CA911CF124079A6B5EB340885207CD01C858BD06C379EB5C46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381427Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:28.820{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C1DF2DCFC0954E40372753489CFECEA8,SHA256=4B7EF813AF0B0F2E47773773441B11E04EE5AB59B27A9D0B179D3CEEEFC0C758,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381426Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:28.302{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E078EADEDE56B9FA957C7D76CB2CA44D,SHA256=D3EC8D0E220CFE8952E830D25D29E3B007EA253922BF387C802F7178227F571D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287403Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:25.997{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-8178-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287402Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:29.344{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4005CC7B8729BA85A19DE3A6BE9EBB20,SHA256=0618503FCEB933DA2D88E1DA52E7B1C40135AA6A80BDE37727308D0F1188B948,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381433Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:29.901{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=97F12EFDE4F6135D814BF57C97750648,SHA256=A8C106358367DD4538FE2ABD86ED570C2AD6BC436906ABEAC6827CD57558B019,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381432Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:28.726{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-48719-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381431Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:28.130{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51261-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001381430Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:28.014{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-6388-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381429Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:27.629{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-44649-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381428Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:29.323{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D80561F11EC2E1E861F9B151131E1793,SHA256=9D41678AFF4DD9E0F859202E4B7643586672AA1117CCDFEB3577C530A084C2FC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287406Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:27.397{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-14176-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287405Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:30.391{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE6C0739BAC0E966B46643878109A3A2,SHA256=0B5220DB3A9312317A56454BEE537918A0B41B88E1AD7D853DB72E4376EBBC01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381436Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:30.920{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F32A0B2EF75A38F7B971719BF800489E,SHA256=D233C98FCA69199F77EEDDAF55EEC20DF27F24EBDD7D3DC985C128E83B6B1220,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381435Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:29.148{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-13326-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381434Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:30.338{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FF24B72A98C8A1CE21E6615EEFE94EE,SHA256=48C8BC3748515705C5C84EF072FE5E635D4ECD911187E3892533B1CBA044CCE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287404Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:30.172{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BD9FFC5B1BF6204E261C11693A8FECCB,SHA256=A265CDEC2BDC908A92D44AE73C6D15470A3061A17F06904CF3DDBA439FC46E49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287408Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:31.594{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4FC6D37EA36E77DBB0D47B1DE0F1D59,SHA256=3EEC01B0ED6FA803751E626DCED61D257348FAC26A3FE078431C3475C2E1DDF1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381441Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:31.397{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-29258-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381440Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:30.926{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-57293-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381439Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:30.280{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-21729-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381438Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:29.828{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-53104-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381437Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:31.353{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54A52335B704491F019E1C36ABECF83F,SHA256=6C90BDD47E802D9AA37BF73C3A2956996B540953718D9EE92536B20624D84001,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287407Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:31.328{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=04411CFA37A47EBFEBA17AB61494E65D,SHA256=3ECFBD95F1DFFD4148F59B49858ABF21F5D7F663014021F560A6C1F5BF2DFC8D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287412Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:29.745{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-25620-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287411Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:28.547{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-20017-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287410Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:32.688{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B20BAEC6FA750B5498526134521FE25,SHA256=D249578DE6B3AE76EBB229F718E192F7BA68C3AA100061A2CA00767E77B90516,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381444Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:32.049{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-2837-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381443Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:32.368{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C2E67381A67866A94308021BFE8F7A8,SHA256=CBD968993B95202CA48CF967CF76910965FB593E380C3D60C11EC0D6B8F9040F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287409Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:32.547{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B09B0A3FF14B53596AA13161C6E0867C,SHA256=564E6D546D30AE0F8B357807D5486BBD6A0B7AE35355AEAA7C6FD72F2505E750,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381442Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:32.118{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5F5A3B47AEFE6DAA2DD781514C11E4E1,SHA256=EE96E5F4A13238DE20661265A9B283B75F161D846DB41F9690FD7E550F7655AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287414Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:33.906{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6827F36A8992D1EDBDF41A6784A11D83,SHA256=F5472CF1EA701709AD78B6D13D5DD427EE1F2491CB0DCCE30FCEDCA98EEC63B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287413Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:33.860{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D75DCCB34BF2ABE63ACB9F22F4315F37,SHA256=FDFA53C8448DD5C0AB8A6D3D8C17DE69082F78EB6517989D505C5D5566870A05,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381448Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:32.641{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse116.203.147.165static.165.147.203.116.clients.your-server.de64485-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381447Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:32.531{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-37124-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381446Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:33.398{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=552412019E80C470C411927F99E3C6FF,SHA256=A75E167E383F18382EE57B826C4D1C1D7515719141C6ABC946C34771AC839A5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381445Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:33.198{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B8C003E3F7A9E319F6AA61D629018539,SHA256=2D174DE1013E6FEF14C578D205C6EC55EB33EEEC75C6A7811B69E6B000D1680B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287417Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:34.985{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E30145166E4F51A38D774F19BBAA94D7,SHA256=F19410F60CE9554D534633703DC0C5CC75A9443701346319B66266F457C8E26E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287416Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:34.860{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3EF072CBD244A59CB0677B8275972EB,SHA256=8EACF57E5D6C4ABAF2BF93890E8467D8D272D1F617A5C820352B39230518DDFE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381451Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:33.126{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-6879-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381450Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:34.416{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCE5E35360B9CB524FB04FE01F210E0A,SHA256=56B2B6DF851AC77B91DE918A533FDCDE363E8982BB35720E5C6440E5D12ED2E5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287415Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:30.445{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61528-false10.0.1.12-8000- 23542300x80000000000000001381449Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:34.297{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8FDEFAC640A6AFF8471C4FD467B7B09B,SHA256=45F1956C5C7645480F87F775785CED938186073FC80E9A0C6D9C1DDA0C97BC5D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381457Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:34.891{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-53120-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381456Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:34.210{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-11005-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381455Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:34.107{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51262-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001381454Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:33.710{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-44647-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381453Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:35.449{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F0CE5BF934CA76C89F8A6923ADAE4583,SHA256=EFC7105C2B8C49C268E3E2E62180DAD32D65DF4E9C98652A191134C9C8E89FE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381452Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:35.449{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=378B3A409EAAA2B0DAEC6A36A2066284,SHA256=CBBF53BE59301F44354F08A0B7C67B5EC3ABDD7254D63D6F30F017E6EEA2C43F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287419Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:32.278{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-38478-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287418Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:31.179{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-32997-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001381493Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:36.460{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-19478-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381492Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:36.028{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-1630-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381491Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:35.343{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-15187-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001381490Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:36.748{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381489Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:36.748{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381488Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:36.748{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381487Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:36.748{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381486Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:36.748{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381485Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:36.748{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381484Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:36.748{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381483Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:36.748{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381482Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:36.748{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381481Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:36.748{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381480Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:36.748{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381479Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:36.748{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381478Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:36.748{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381477Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:36.748{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381476Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:36.748{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381475Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:36.748{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381474Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:36.748{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381473Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:36.748{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381472Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:36.748{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381471Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:36.748{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381470Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:36.748{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381469Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:36.748{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381468Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:36.748{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381467Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:36.748{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381466Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:36.748{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381465Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:36.748{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381464Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:36.748{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381463Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:36.748{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381462Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:36.748{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381461Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:36.748{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381460Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:36.748{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001381459Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:36.532{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C655F3EDE1F7A92B39847268ECB09FB4,SHA256=F1BEEBC174FABDA4529FE3140B89635185432395CDDE7BF52AE0C9F6626B0E64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381458Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:36.495{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFB9D47CB1C72F0A657C04B291FCC258,SHA256=1AFF0DF562F37933700FDCCEEB700C0A2660D56EF508838001C79FF157A84E46,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287422Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:33.441{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-44263-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287421Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:36.344{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=29EE9CCE30F809A8D3E127EB3244845D,SHA256=57E69E7868D0FB585FD59753685861118C61832144A133B396430DE7239C9599,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287420Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:36.078{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E13739E0447AEFB89B44D35A9FA8930,SHA256=CA0AB3E51E064795DFD82741A08A4BFD73E1624440D5586291586D9084FB0FBF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381496Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:37.163{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-9643-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381495Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:37.663{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1E306EB336E99307041DC1D5240DF027,SHA256=DC0F84BD1C07719D0A07B34FE15F5E8E89C42F3BFE0E4A0DD5E33C6AA6BCD19E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381494Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:37.579{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7A171D38B6D43255AD16D350192BDF2,SHA256=6FC79EA2D3850522FDF1E59EAE771D4F539EFE0B666316ABDDB41B7256946ECA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287425Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:34.716{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-50536-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287424Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:37.424{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4FBFB4103779A4DD0C5622F0F8BC4F47,SHA256=C8F90D7EE7BAAE7B047550B145E094F3163087C37BCE0FE0C0E2C540D4300F27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287423Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:37.313{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4A1C8A454B8647D93EABA595512C1D6,SHA256=B724E0E3383DBA9EFF794515D8253E5B4836ED0327A2B8653B76E3230344B1EC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381501Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:38.674{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-28628-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381500Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:38.263{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-16395-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381499Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:37.558{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-24175-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381498Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:38.746{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=27B621762ACC4BCB149F9ADE7406A27D,SHA256=BB1A2CF0F2B75B3A9D3C194901ABAAC6D1E7A3379EA1E4F21E8AD7B34EE5D3BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381497Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:38.593{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1DF3C782EFFBE4F7FD5615890BE0F42,SHA256=D8C3119EEC54B26E7BC8407010585B78C9E1CAE3AA88C3CDC61C8A248D599E22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287427Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:38.549{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1A075DC62E877923F976DA9F5433FD01,SHA256=D7E17321463DB0E768F23CD5B768766FBDE0579F5B218382AB7BCFFF9B206557,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287426Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:38.330{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94344A03E601A5B73B6D198169EAF538,SHA256=060112FC845932706FB1EA3095D338F6327F2BC6EECE23360C366435DC2705C0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381504Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:39.460{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-24720-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381503Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:39.892{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B3656E94E5ECB17B1D5DE8EFC42C8254,SHA256=7688C86484B39266B763E8D47BE2CBA20CAE6373A2EF47EE09BA8AF93C0A6886,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381502Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:39.614{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B4F92CB6160B7D6293FBFF9713128D4,SHA256=257773A9235298C7FB3811A2680493F73F7AC28DD40798FDE842552421262BA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287431Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:39.690{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2E3FD1C5EBE4041893090810731DE630,SHA256=63DA4AF385C4BDF8FFDC7525FC8588C75694CB23C28F231F57001A06078659C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287430Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:39.346{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF3F6A4B3AC28A3EB2213CFDA6DF95DE,SHA256=873B7243591EEAC2DB9E14B0CFCAF264ABFF31CDBC986DC04555CF3A33494C10,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287429Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:35.808{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-56385-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287428Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:35.446{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61529-false10.0.1.12-8000- 23542300x80000000000000001381505Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:40.630{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF79E967EAD578B0277A6C8065CA46F1,SHA256=FA27AC38A260EF433BAC41CDA6D58A38DBE1734C5A86CBACCC1647D6DCFB9E85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287434Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:40.768{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7ED7393BD4BCF1B800FF670DCDF5F944,SHA256=A9CBC987B4090747497EB8F7DD8B2A3FD8A8A56A8EC6E0C6664F5BC20A3125A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287433Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:40.361{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FF8FD38E26ED9223661449468A6369C,SHA256=A189784E4E90AFA38D1D352426AA613CAB50103A18C958EEE28A196CBE4B647D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287432Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:36.936{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-2556-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001381511Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:40.917{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-37416-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381510Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:40.636{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-32104-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381509Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:40.121{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51263-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001381508Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:41.691{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA18AC3744C7D184A2A178092A2EFA76,SHA256=CF6DEED495585F2A88ED07E11B420415A93142080F8E024F752BB5778DB1D470,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287435Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:41.377{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=973EDAF628F8995A2B795FBE11E9EDCE,SHA256=11322E634FFAE9FFDE26B7D0340023C9A74B73A54AD7952F476ED6D132EDB3A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381507Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:41.030{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2AC2E798DC9142CAA74D4B48E2340B22,SHA256=D4F9E4E01493FB52C4DAC146215DABFF299D9062F2B259054037315798441A27,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381506Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:39.792{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-32902-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381515Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:42.056{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-42023-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381514Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:41.771{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-39699-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381513Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:42.709{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7E9E9D84FA41F5645A2313859F7FDC5,SHA256=CFB08864F0CE259C11A086E4714A04B8AD88FC6331F32E939E2399CF0D04A028,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287438Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:38.062{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-8142-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287437Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:42.393{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A61CBB8EEDC7AFC022313C384DE4C89,SHA256=D0337A057BAC6808B2BAC0C4B543ADFF2408EF7CA05AC95246959FAD94E95873,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381512Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:42.259{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF1AF33F51FB2B3DC7AD8B8B859EADF3,SHA256=0136D14573ACC81FD050ADDDA7549F9F757504AD63B4C9DCEC9DF8A853A2815C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287436Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:42.049{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4DE7E50DDB3CA28B851A36C8BD271D77,SHA256=0843828FA65738A6079A512F90C9A35679FDBF1E21AE6FF24113A5A55A9433BB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381520Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:42.950{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local51264-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001381519Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:42.950{5EBD8912-8CD0-6151-2800-00000000FD01}2200C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local51264-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001381518Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:42.896{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-47158-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381517Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:43.727{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B214A63624436FED9BBF3BDFF79A05C,SHA256=533EDF42ECA3B2C6DB462D5867BE9FE1131390353E6CA498BA127AE22F9CC4F7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287441Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:39.327{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-14475-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287440Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:43.408{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2822E73C716760035E89A1E44CC774E,SHA256=894FF4C2083D74BB0A032353667BC6B8CB4EB2F82ADF78F9ECA3C2D37380070E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381516Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:43.389{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C8CC53D652C83401C3DC9734AF5203BC,SHA256=CC7EB007CE067E58EE37CCC38588840AC9CBA7703C455B9455F003D3540FD237,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287439Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:43.127{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FF0D1162BE6A45F15697AF365055EBAE,SHA256=1C11B0220C31172ABF844C7F5BA4D6FE396146740DDB1C3046AE43214E5FD922,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381524Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:43.285{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-46720-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381523Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:43.276{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse116.203.54.13static.13.54.203.116.clients.your-server.de58373-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381522Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:44.742{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FC77CA59E81FEA3C685B2000C52174A,SHA256=CD5D65413E3FBCE8B69BD5A98526A8FB89BF4DA34F989CED10CAF81469050E93,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287445Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:40.463{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61530-false10.0.1.12-8000- 354300x80000000000000001287444Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:40.422{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-19216-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287443Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:44.440{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B69297A8DAA243D4CA81541C33BA52E,SHA256=C41FB24434A96564EEF82F66E0E3A5FC3BF55F399A7C6CACFD70A0EB974A7C7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381521Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:44.458{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE0E57A4B00D8A2E751DEFB7FEF4A5E0,SHA256=1857D4BE041F1B03CB36ABE28D957D635E266B84A840C1B2A40A62EE3FF71499,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287442Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:44.205{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=E42AC5737DC4170785A6B8CA36332D42,SHA256=0738572390F232B82EF732CAA11EF139CF5BE223BEEA1AD87034B7625C4DB0AA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381530Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:45.485{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-55606-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381529Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:45.154{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-4271-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381528Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:44.401{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-51188-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381527Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:44.070{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-55605-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381526Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:45.756{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57305888F75C4876DD524E82F7AC345F,SHA256=ACCF310838E3CAEBCAE4F9C778ECF29BFC854D85813CF06CE8A19B00BB2C31D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287447Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:45.771{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-5706MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287446Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:45.582{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E726B1406AFD104A457297C132794AB8,SHA256=2689761A04C039931AC61DDFC44D192A004E4B769D2C0E5E2A5EB7CCD6F35C44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381525Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:45.557{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=21BB221C2C00A2E8D11326BBBF328E3B,SHA256=8687CEEC650A629B735E50B9B322EBCE581196850EBB5C126076DBB349E14798,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381535Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:46.576{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-59925-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381534Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:46.369{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-12314-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381533Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:46.079{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51265-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001381532Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:46.787{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8EDB7B6E9116560FBE061F0D9FAEE45,SHA256=51DD2AD2BC4B70238617FA07E94C5DD5C5711321149BB12F611CAC42F8BB6899,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287450Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:46.896{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287449Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:46.785{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-5707MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287448Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:46.612{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11E5AE04C71AF2CA970E26757453B6F5,SHA256=8046B9D3D72B2F5D07DF572CD7FF8400429E6949670F35A94BF76F9396315DBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381531Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:46.640{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=114C49FA2B0720DC7A5A6526FA49D31B,SHA256=D4A7265840164364457986D0BD5C549F93A8E19DF3482A29F52B3C4AE2EABBC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381538Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:47.823{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C85402521F63BDADAFADB8029F75BDE,SHA256=C82604BB1E63947BDA0BA6254F4953760A9D0E96B69EA25B3273B53401507570,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287453Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:47.852{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F88CF325AFBD2EE4E4C614B325E47E50,SHA256=35C7CED1C07DAA856467453D79B60B291FC32A5CD9E5746FA400AC7AA68C5A42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381537Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:47.724{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=09B63628E3D49831FF98A80FB1CB2720,SHA256=805F05EC4EC70A8ED76D232D963C6A9472158BF459CE784091DCCEDFFE72C53C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381536Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:47.424{5EBD8912-8CD0-6151-3000-00000000FD01}1956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287452Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:44.527{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-25081-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287451Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:47.255{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=317C4E108A10DC49EBB8BE42B65AC738,SHA256=2110F635DEF0BF171D59E4D4665F7D144E94D323B0844FF83AE4277E5D33CF1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287455Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:48.867{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB977AC7C24AD72076D2FD110FA32E54,SHA256=E2409187ECC7FE78BA908769BD5000B3A6C4697CD06C449B1696F83AD9A59B13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381542Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:48.855{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64D680E9E81EBB14AFAA2E4BF414FEFD,SHA256=D1413F855133370B5038A8F18346A2AFC6CA92B5587DC2A6A9A41123F18BFFCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381541Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:48.758{5EBD8912-8CD0-6151-2F00-00000000FD01}2544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210927092018-1389MD5=418358CD28D1B50422280074BE968B1D,SHA256=C8286C1C0A91E4E2C2FF9D12E0FDD08F235EAD61265C1678C815B6AB5A1254BF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381540Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:47.651{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-5044-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381539Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:47.537{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-20339-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001287454Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:48.320{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C5DAE63EFE8A80F58BEA7112D01005A9,SHA256=0AFD1E53126698A869AA51E831BB95C09F21EF0ADCA1B8CB9E489F91825E02CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381561Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:49.870{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36F91CCD95DDF3AFFDCFA52A00981DDF,SHA256=24F93C4F63E17265E418B164524B6960EA5194D2A686481CD9567801A4FD9BF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287458Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:49.867{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA75E241B4670725F8C9D6995C832710,SHA256=36868DB42004AEA2DE6737AE536115730FAE440FB096603FD87F76EAC25B2E05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287457Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:49.445{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=45DCE13773D09CE15E9F9B2CA542B4A2,SHA256=917AE9EE5DA9032C9215F085C75677CB9ED0B77D81B8A7192373AED6A20EA780,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287456Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:45.232{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61531-false10.0.1.12-8089- 23542300x80000000000000001381560Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:49.772{5EBD8912-8CD0-6151-2F00-00000000FD01}2544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210927092016-1390MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381559Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:48.943{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-10284-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381558Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:48.920{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-10170-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381557Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:48.897{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-10075-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381556Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:48.875{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-9932-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381555Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:48.840{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-9782-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381554Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:48.804{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-9709-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381553Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:48.803{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-29172-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381552Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:48.781{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-9633-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381551Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:48.765{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-28886-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381550Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:48.758{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-9539-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381549Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:48.735{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-9451-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381548Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:48.730{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-28727-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381547Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:48.705{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-28554-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381546Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:48.679{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-28364-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381545Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:48.653{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-28180-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381544Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:48.629{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-27870-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381543Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:48.393{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51266-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001381574Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:50.886{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5547DDAE10C5BF5F1C484F68DC8F2A4,SHA256=B52753F4C20CEEE07645B9F003774FEC6AAC14090E5C156601B53395B3AE5059,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287463Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:50.899{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D1C3328F99DE5074E74290AB0DF4B43,SHA256=84140554866EFB097ACA643264AE66A94C64CAE4BF29695DCF3F2CB1497CE7A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381573Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:49.243{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-11480-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381572Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:49.220{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-11406-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381571Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:49.198{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-11334-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381570Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:49.176{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-11253-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381569Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:49.153{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-11141-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381568Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:49.129{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-11046-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381567Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:49.107{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-10962-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381566Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:49.085{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-10890-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381565Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:49.062{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-10792-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381564Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:49.039{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-10628-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381563Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:49.001{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-10513-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381562Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:48.978{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-10373-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001287462Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:50.524{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=961B8D9D8823A75AE08F2266F9A0464B,SHA256=8BE64FFCDFE678A977AE0F26C33EDE33241A5BC85949C9EF6011348F2910C299,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287461Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:46.712{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-49956-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287460Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:46.406{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61532-false10.0.1.12-8000- 354300x80000000000000001287459Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:45.628{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-44576-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287465Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:51.945{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3D484668610C8CC19471C13CEAAF997,SHA256=3B18EDB25F3FEFCEC861B344A9F94F0C798D2381474B9B90F98AEDF1BFDBC727,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381582Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:51.923{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00415B8D42407E94A26CA9C9B64E489F,SHA256=40B9B1630FD65AF0299B1B2AE5E88FEB22481B032F91B8C2409E2B83A9C63B53,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381581Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:49.716{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local51267-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001381580Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:49.716{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local51267-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001381579Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:49.357{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-11909-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381578Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:49.334{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-11823-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381577Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:49.310{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-11749-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381576Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:49.288{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-11650-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381575Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:49.266{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-11569-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001287464Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:51.930{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF4704B01058328F4427CEBC4F9316F5,SHA256=9976EC52FB15F7515A80BE5C9929381CCD705287968A875C8AAF5BE8EEA6CED9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381583Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:52.953{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10D6CCFE15297EBBA03E8E403809A728,SHA256=AD89A4DBEA7429C02E64C5DA03BAA757C63F4536840732B1D6FA8FCA35754A20,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287467Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:49.024{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-1849-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287466Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:47.818{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-54871-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001381585Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:53.983{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAD289929CAA0652AE7243DBA175382E,SHA256=EE98245695C514E1E7176A9F4B2D560500009F67E248CB5B8111E38015E34BFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287469Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:53.070{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E5FEF932C502173C22D26FB0C1C35FC0,SHA256=842E35029FF9013DAFDB07B1352C56146AC3EF1E21866DA43F755007FA30B5F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287468Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:53.039{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5423090249C4941340CDC36DB4DE2C6,SHA256=B35F328BA01579C986ED942800879B5C326BD2D3D5B09CD61E52BF6A3C48204F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381584Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:52.030{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51268-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001287472Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:54.414{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C182335585FE807DD431354FE13F4F9F,SHA256=2CCF752CA44F37EEFDFE0F8E928DE9CC7A5B70051D67F1CC608CB55B9BC9AA21,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287471Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:50.324{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-8116-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287470Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:54.055{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAA5AEA4F497BEAB135C3AF1DD397AB7,SHA256=BF788EF0FD46BFF29C0BE762D6E3601A8D806C0F87FE1B1D911DC614A12B9F59,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287476Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:51.547{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61533-false10.0.1.12-8000- 354300x80000000000000001287475Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:51.443{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-13804-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287474Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:55.539{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1FC1EBE297AEAB2AE13A7385A459983D,SHA256=65F750496502082F6180737E99895F475B9262AF1F26B1529F3D46CC50424C71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287473Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:55.055{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3282F7BAFE86C328A7E878DBD687A587,SHA256=588F6B60D523E143339132913957289C571B49C83E7DAC90C284DBAE5C33E6D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381586Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:55.001{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4094E7950A6ED2172153B7B3C9D5904,SHA256=EE7C49DCDEC8768B3D58FD4F707B50692CD2C870163B768A71DD8B46D30D7D03,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381588Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:55.810{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse13.235.255.213ec2-13-235-255-213.ap-south-1.compute.amazonaws.com49310-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381587Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:56.034{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1963BDD2BDB7BB75755266A1BE4248C6,SHA256=D5D0D5DE1DA3E89CDCD78CD42EDCD468C1925E5ACF4DE5B27F1F9F19013D3EEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287479Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:56.633{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CE02528C39B7F8B79BC915CFB49A04D9,SHA256=6A6D21A88FBD51AF80C1147BB18A5C28502E1DA58F3C7F9A6CDEC659BB58EB7A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287478Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:52.801{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-20102-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287477Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:56.070{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C8CCFA72F044457910B15E08B7F5497,SHA256=07775DAFB95185D0C72F7ABEF085D5653AEC05B899EC35E1F3D66952B6237E71,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381590Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:57.040{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51269-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001381589Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:57.048{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31E0352BEDBDBC7A4D15E68728673616,SHA256=3485254E4B33D49CDAEDF3E37816E0DAFE93EB32EDC49ADA6B1BAA3B5132E05E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287482Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:57.720{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D8D05CD605696CF453BA450F1F2B73B,SHA256=B1D385B097107CF3D0AACB48475CB8D943C39167FA7225560B00A7F5E82A828C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287481Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:53.911{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-26031-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287480Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:57.086{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F5E6D232386E86A59C6E7B6856215B9,SHA256=A4CA71CB35926837B23C3B7E6B1C0E0472439F8B8CDE28E10A0EF7908184AF95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381591Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:58.097{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B30C7D45FB69445DEB794245C09995E,SHA256=BC26CFE0F82140F50E31BBA56F33DC93DF7E04C6511556B98201F0B5C6E3B195,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287485Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:58.939{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5EC7F6605176B2679310ADFA67BC8036,SHA256=B27D94D167EC03218B7E5BA76CAE5E3AA80C889C08BE2F75F1FC10FA91731DFB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287484Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:55.006{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-31597-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287483Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:58.110{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C20497B2F1D8A414E10F065BDEB72CF,SHA256=DA6EACFF965DCABC78E0D6B745A7D77C29F129F884A310A87F962D6AA4AFE341,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381592Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:59.116{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F4F6AC8742B2B912AB7A14A34185122,SHA256=3D2D469E6C82A01CA0F895A5073C05E219701A645A9C605A741E8CF78405DAB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287486Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:59.110{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BC86EEDD504212D34200142BEA9685B,SHA256=B8D39FBF9AAF3D39146E4EED9A9E514506B6D81C683A7E4E8788412E387E53AC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287491Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:57.462{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61534-false10.0.1.12-8000- 354300x80000000000000001287490Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:57.310{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-43294-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287489Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:56.140{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-36898-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287488Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:00.329{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F6089DE2046B3BAC756FE67C6328DB7,SHA256=3BD69B602E1B966E5758F69A60D60C0D4287510A5C9EC5648D950EDB91B793F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381593Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:00.130{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=246F38AF7CDDDE84D8F91955BA384D0B,SHA256=255B66588F81ABFA6DEBC09F61CE70A6E8B96AE343CE9EF40F502017C10C0FA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287487Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:00.017{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E5FACA09EB87605ED30CAF615D1706E7,SHA256=95B2C9D089FB1642E0EC4D1CB511CF03C5FDD27E1F0084EE23F08D00485C38FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287493Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:01.564{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1545D4807FF3F2902A5BF88DF9FA11D2,SHA256=16879D390147613D35AFA0AC4FA4D2AD3945D1507254AF2C1879B6746E2789A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381594Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:01.145{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DCEB3774D816B8E07DF8E57FA133796,SHA256=3E8BF84427543B43C04CCFB1A1A81BCD6C0B777452A6BBBA55390FC5F558D7DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287492Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:01.095{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A7A5508578DC97DF56AA1EF9DC77B7DB,SHA256=892F4E465C77E9307D7F69E541E32B9823C779CADDCE25B998A023B74EDA7116,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287496Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:02.610{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BF059BBEE1A89BA9F153F82E7DAAADE,SHA256=C94FDC5DCF6105168C9DA2F4C6181E51C0161B14FD4C832F86CF3E27A0B5F6D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381595Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:02.160{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEA0B94FE1B3A7C6729DBA1260356B8D,SHA256=50240DAC45609FFC0AA35F0696133810C6449E6B2ADFF6EF48E10418962627D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287495Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:02.204{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=044B97DBEDEB3AD3F47462A5446F74CD,SHA256=90E002BB49C335B670A713DE9730C40776F834FEABBACD4E5FFC41AFFE1830B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287494Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:58.389{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-48645-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287499Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:03.845{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFD0FABDBBD2BD4DE177312F2FD1B868,SHA256=BF472FAAF9096BD0F2DA10AB8F876DF790ADA750709A16BEEAC1E19274592ABC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381597Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:02.220{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51270-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001381596Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:03.174{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4523F02712D391E7F1F775F5F9AD2DB0,SHA256=E13CE491D8D9B44DBF70BB64F5D9204C5A84F414F3B73CECCFB2074BD020AC7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287498Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:03.392{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=193AA685A61B53EA58850998F7FFE915,SHA256=59DD1066461E484C123442C79664C90B56538EFD0C4DCA303C73099AB35BF8A3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287497Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:59.479{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-54145-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287502Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:04.907{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57C645B8DDE9A19F23397C2B180B7002,SHA256=31501166E8997FD526DB7E2DD6640036E6350D950766C180112EDB07B0AD3EAA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381599Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:03.111{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse59.14.196.14-23934-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381598Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:04.191{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C683D8C7D24AACFA0CDB90E3346C869D,SHA256=8F408B487C992E878CF6A823C7729CD9D33F9327B0C8443B10F37F5C53F12D3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287501Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:04.517{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=34A2FB6EAFFF39558250B498A3911D64,SHA256=72B88AE5ECE58C1267B678B6D853176CA744E415E818A8703E55A476898245F6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287500Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:00.632{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-1233-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287505Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:05.970{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00A15C7088D6D6B4B5AE9C0CB362AC93,SHA256=040C593E4463E372CC3EC97FC4D389B6737856500C03B5FB37927417D86CB064,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381600Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:05.210{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FBE1C954D453DF40D6C5DBD6451B63B,SHA256=44A203BF6CB37426D06AAAB486EF97D56FE75229F6FF22174DC3EC147225BBFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287504Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:05.595{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A30443B0C7ED4CB9435EAF8CE3E09D50,SHA256=B5A3DCF59AE77E86197797B2079D4D876B099F219C2F583DAB722DFEA7F9EAA8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287503Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:01.796{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-7266-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001381601Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:06.225{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E2767F001CF732BA8A87A5A72DB9C5E,SHA256=B16D428C090FED53A020241C92F874F751457B9423981E353F801A0F9F1BC143,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287508Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:06.970{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BF3ACFC3EFB86ACA59447424B82EEFD8,SHA256=4D206EBFB641464FDD7DB60161D312EC3B72A530936679EB83DC94E2BDE68C11,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287507Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:02.889{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-12929-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287506Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:02.493{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61535-false10.0.1.12-8000- 23542300x80000000000000001381602Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:07.239{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECE78864B38F10293D9AEE4A37C0BEFA,SHA256=48EF50C88350FE4D1AD2282C794B89F0A6C93D1E1FA80309F5F272DCDC164123,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287511Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:04.232{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-25203-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287510Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:03.981{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-18340-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287509Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:07.064{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C70E6078759EF4A72DCC17CD568AF3D,SHA256=37C0FF3AAD8DF76A7949D90863D3A665A0F10D9DC89C0CA2AEDEBBF990ADAD35,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381604Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:07.999{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51271-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001381603Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:08.254{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C48D0CE1CF40968C2C3D8EE7D085758B,SHA256=FBA840ABF0F8A0BCE9FA2AE194363735217CA83531F2590A08B61B36F52C36C9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287514Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:04.257{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-25377-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287513Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:08.110{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C649948664556084BF710C69DE47AA3,SHA256=73FF2540119584AFCBFDD3DD5F314DB3CE4F83B2E626CC6E0D50DBB8338D39A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287512Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:08.064{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5AA6CAC863A94CD87A427385FCE0A47E,SHA256=C68143B6C7B39B4AB52DE613811181C6FA4424F673E12A0696282463EDB41E09,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287518Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:05.434{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-25048-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287517Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:05.341{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-32132-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287516Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:09.220{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93C4919C00BB986D8DC287AD153DFCD1,SHA256=5E2CB360E39687DF4D99D1ACD524ADA9F6D5ECCE5A46E31C15B813EA7233E1EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381605Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:09.268{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99ABB1B00E8F24264B8E052AAA880941,SHA256=5C2FB393206C192E273EBB96E600602228B907A60ECC2D86640A96704ECFB1A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287515Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:09.173{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=485B6F5EDEF48556AB642DED2C754F7B,SHA256=87ECE7A0B17A5632A71A612394AE6447F8DBEE70F555E1335C59455B4B3E32FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287522Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:10.267{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3DF99E864C5317D45396F4254BC5EE94,SHA256=A458ACBB31C2EC61CE7807AF2665D6E02384F661F57195D8685CD5A194EFFA01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287521Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:10.220{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F0CC08B258056D1EF4742E1198E1F85,SHA256=CA4D179AD3BC8078A054F32DFC6DDA736E3347ECF9725ED564843216FE284E3E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001381624Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:10.804{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DB02-6152-2128-00000000FD01}6220C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381623Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:10.804{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381622Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:10.804{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381621Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:10.804{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381620Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:10.804{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381619Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:10.804{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-DB02-6152-2128-00000000FD01}6220C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001381618Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:10.804{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DB02-6152-2128-00000000FD01}6220C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001381617Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:10.805{5EBD8912-DB02-6152-2128-00000000FD01}6220C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001381616Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:10.736{5EBD8912-8CC0-6151-1100-00000000FD01}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=FA4603FE40EAD5436E3D0738F45E10AF,SHA256=B2216974BE935DB3A4DA051CFB26E6258FD8CB3BFF63AC0E997A3F87350F5C05,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001381615Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:10.352{5EBD8912-DB02-6152-2028-00000000FD01}56966516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001381614Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:10.289{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE4841B6A1F6C0290ECBBF6194F1995B,SHA256=ACAC0F03F508C9BF594B1E8C859E03A6F51790E4EE6F01A23B3D7674783B3753,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287520Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:06.558{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-31184-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287519Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:06.451{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-39017-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001381613Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:10.136{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DB02-6152-2028-00000000FD01}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381612Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:10.136{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381611Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:10.136{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381610Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:10.136{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381609Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:10.136{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381608Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:10.136{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-DB02-6152-2028-00000000FD01}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001381607Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:10.136{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DB02-6152-2028-00000000FD01}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001381606Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:10.137{5EBD8912-DB02-6152-2028-00000000FD01}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001381627Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:11.335{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6830867A8F47EDB0D151985C9B5C0A3,SHA256=4EDFD0BFFBE6EF7C43AA99522915E93C7E48B15F92762E195A33B39F49F200CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001287554Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:11.892{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DB03-6152-18A1-00000000FD01}1736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287553Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:11.892{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287552Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:11.892{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287551Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:11.892{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287550Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:11.892{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287549Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:11.892{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287548Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:11.892{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287547Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:11.892{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287546Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:11.892{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287545Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:11.892{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287544Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:11.892{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-DB03-6152-18A1-00000000FD01}1736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001287543Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:11.892{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DB03-6152-18A1-00000000FD01}1736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001287542Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:11.877{69CF5F33-DB03-6152-18A1-00000000FD01}1736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001287541Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:11.626{69CF5F33-DB03-6152-17A1-00000000FD01}12401468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001287540Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:11.407{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2D8A2B95F8D7F0A8DD16CFDDA191B4B8,SHA256=64025077ABCDB6A36C3353B5DDFE3092BE5DD82F5E2EC2C3A128E3F24EF0A03B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001287539Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:11.376{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DB03-6152-17A1-00000000FD01}1240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287538Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:11.376{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287537Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:11.376{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287536Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:11.376{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287535Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:11.376{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287534Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:11.376{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287533Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:11.376{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287532Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:11.376{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287531Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:11.376{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287530Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:11.376{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287529Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:11.376{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-DB03-6152-17A1-00000000FD01}1240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001287528Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:11.376{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DB03-6152-17A1-00000000FD01}1240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001287527Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:11.361{69CF5F33-DB03-6152-17A1-00000000FD01}1240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001287526Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:11.235{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F228C9FF03AA92F7CA1E758E03A2AAA,SHA256=4AB88D231A6583A1F86D1045A5A1BC6BD6F7E52CECDBFA9435209C5C18E0DD71,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287525Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:07.660{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-36704-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287524Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:07.563{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-45563-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287523Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:07.509{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61536-false10.0.1.12-8000- 23542300x80000000000000001381626Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:11.151{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=160AB20802806451CF0B43529AC48804,SHA256=73FF51DF038237D603EE0BF5029F0F7D5CCDD6DA9936F9012F1D9B581935A4C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381625Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:11.151{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=316EF460F25449C5B40B9DE719F0413B,SHA256=EA7895DBED6A3A70BBE19072CDE02720022E6478FD21E497989794A8A066DBAE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001287572Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:12.579{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DB04-6152-19A1-00000000FD01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287571Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:12.579{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287570Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:12.579{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287569Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:12.579{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287568Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:12.579{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287567Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:12.579{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287566Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:12.579{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287565Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:12.579{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287564Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:12.579{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287563Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:12.579{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287562Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:12.579{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-DB04-6152-19A1-00000000FD01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001287561Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:12.579{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DB04-6152-19A1-00000000FD01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001287560Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:12.564{69CF5F33-DB04-6152-19A1-00000000FD01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001287559Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:12.548{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F421DA317DCBC558650F71A6F50028CF,SHA256=E78BE1CF4A67D496C952231729BAC9CD1A27E98DC9C3AB16BB46EC2CE36EA28D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287558Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:12.376{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB526B590FC729BC77E0539F30CAAC62,SHA256=1B2A46B566A2DB68682449AB1327826C9396B21003BDDEE4168F9E2B36ACCADD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001381636Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:12.902{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DB04-6152-2228-00000000FD01}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381635Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:12.902{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381634Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:12.902{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381633Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:12.902{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381632Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:12.902{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381631Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:12.902{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-DB04-6152-2228-00000000FD01}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001381630Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:12.902{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DB04-6152-2228-00000000FD01}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001381629Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:12.903{5EBD8912-DB04-6152-2228-00000000FD01}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001381628Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:12.350{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE20B35854C789BB9FA4467058E19663,SHA256=21879222864BA077BCFE13445B1D2278CD87F6BB19806C6AD7AC9649238B3D71,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001287557Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:12.126{69CF5F33-DB03-6152-18A1-00000000FD01}17362372C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001287556Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:08.748{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-42414-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287555Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:08.638{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-52109-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001287603Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:13.782{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DB05-6152-1BA1-00000000FD01}632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287602Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:13.782{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-DB05-6152-1BA1-00000000FD01}632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001287601Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:13.782{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287600Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:13.782{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287599Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:13.782{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287598Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:13.782{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287597Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:13.782{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287596Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:13.782{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287595Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:13.782{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287594Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:13.782{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287593Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:13.782{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287592Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:13.782{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DB05-6152-1BA1-00000000FD01}632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001287591Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:13.770{69CF5F33-DB05-6152-1BA1-00000000FD01}632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001287590Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:13.767{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADD5DD17BFA989253D8D02F9AFD15FCA,SHA256=B8D99C1D8DEE6C9B0234D56BFC0C770107E5B82C7C0C8D9049DDB6C968566126,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001287589Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:13.595{69CF5F33-DB05-6152-1AA1-00000000FD01}40483420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001381647Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:13.917{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=160AB20802806451CF0B43529AC48804,SHA256=73FF51DF038237D603EE0BF5029F0F7D5CCDD6DA9936F9012F1D9B581935A4C9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001381646Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:13.833{5EBD8912-DB05-6152-2328-00000000FD01}64447024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381645Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:13.586{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DB05-6152-2328-00000000FD01}6444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381644Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:13.586{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381643Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:13.586{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381642Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:13.586{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381641Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:13.586{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381640Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:13.586{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-DB05-6152-2328-00000000FD01}6444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001381639Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:13.586{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DB05-6152-2328-00000000FD01}6444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001381638Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:13.581{5EBD8912-DB05-6152-2328-00000000FD01}6444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001381637Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:13.365{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E097200455D3905A1591DFD989E30D06,SHA256=9B8E8DCDC7AE6387EA62CD80472ED74BFAA609EDA54460CABA85DD6388FEC162,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287588Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:13.579{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D78B231380CF467008109E85E5485EE9,SHA256=E3EA99882B908E90A3EB2FAA5E66381DA01CE9330640BC6AB31472C8ADDD490E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001287587Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:13.267{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DB05-6152-1AA1-00000000FD01}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287586Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:13.267{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287585Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:13.267{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287584Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:13.267{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287583Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:13.267{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287582Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:13.267{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287581Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:13.267{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287580Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:13.267{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287579Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:13.267{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287578Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:13.267{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287577Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:13.267{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-DB05-6152-1AA1-00000000FD01}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001287576Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:13.267{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DB05-6152-1AA1-00000000FD01}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001287575Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:13.252{69CF5F33-DB05-6152-1AA1-00000000FD01}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001287574Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:09.837{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-48107-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287573Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:09.779{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-59108-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287621Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:14.907{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE99657279FB788F96D96190EFFCDBA7,SHA256=171785973BA685D040AC2E324693DF84BDDF21A0068F2EB44BEB47363FCC2723,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287620Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:14.907{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6440D89EB8658EAF4336FEFF12AF5EA7,SHA256=06E941A2AC0472DC45D9132BF25F1EFBBA1712155313C8D4098D80E2661F36C6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001287619Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:14.644{69CF5F33-DB06-6152-1CA1-00000000FD01}572312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001381649Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:13.241{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51272-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001381648Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:14.401{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E912FB8D31A241700D303E18DA53882B,SHA256=AFA7E8A266CF38E21822D474033CB2D7EB631421AF7F0F8764C70E3E3A690522,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001287618Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:14.470{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DB06-6152-1CA1-00000000FD01}572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287617Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:14.470{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287616Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:14.470{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287615Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:14.470{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287614Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:14.470{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287613Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:14.470{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287612Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:14.470{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287611Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:14.470{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287610Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:14.470{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287609Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:14.470{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287608Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:14.470{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-DB06-6152-1CA1-00000000FD01}572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001287607Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:14.470{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DB06-6152-1CA1-00000000FD01}572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001287606Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:14.455{69CF5F33-DB06-6152-1CA1-00000000FD01}572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001287605Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:11.013{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-53910-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287604Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:10.929{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-7326-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001381650Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:15.402{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA814540B679C0E0A6F81353AD17244D,SHA256=32173F35ED2D4532DFF65DCE30C5F3ACEC91BA22C75F78EA50DBA79C718499C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287624Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:15.673{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58FA2AE1B80ACC742657FADDE5C901BC,SHA256=9897DD10528DE92FA1BD569323B96278FDE02152729D860BD171F80BBC19E662,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287623Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:12.231{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-1288-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287622Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:12.154{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-14901-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287626Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:16.673{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8F564348F1D1EA36E85AA326DD35CEB,SHA256=7513A6F42E25B645624C56EC3D39F76E4BCEE86118E12AEEECA8D4FE8DB2D781,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001381660Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:16.801{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DB08-6152-2428-00000000FD01}6824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381659Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:16.801{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381658Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:16.801{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381657Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:16.801{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381656Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:16.801{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-DB08-6152-2428-00000000FD01}6824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001381655Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:16.801{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381654Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:16.801{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DB08-6152-2428-00000000FD01}6824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001381653Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:16.802{5EBD8912-DB08-6152-2428-00000000FD01}6824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001381652Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:16.417{5EBD8912-8CBD-6151-0B00-00000000FD01}640368C:\Windows\system32\lsass.exe{5EBD8912-8CA0-6151-0100-00000000FD01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000001381651Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:16.417{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E358465864B6F7B6E39108214AFEF88,SHA256=39A656B5503236962C78F1A72B46BA8EDCC23553D82A98BA98A6B726BD2D6D69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287625Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:16.064{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6298612AF6D1AEBFDB996EE654A8E640,SHA256=051EA6224F145F884F51FA3A18D2ADB372C5840ED9A9278F23A8E0BD52721573,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287632Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:17.692{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD78E9506738A6CA4DA2A1312B43D939,SHA256=1BC27366033325851D4FDCBA5532DAFCC1A0AE1A66CFFEEEF8CDB29594CB9536,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001381678Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:17.684{5EBD8912-DB09-6152-2528-00000000FD01}51966356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001381677Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:17.413{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local51275-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001381676Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:17.412{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local51275-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001381675Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:17.302{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-429.attackrange.local51274-false10.0.1.14win-dc-429.attackrange.local389ldap 354300x80000000000000001381674Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:17.302{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51274-false10.0.1.14win-dc-429.attackrange.local389ldap 354300x80000000000000001381673Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:17.295{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local51273-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001381672Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:17.295{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local51273-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 10341000x80000000000000001381671Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:17.484{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DB09-6152-2528-00000000FD01}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381670Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:17.483{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381669Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:17.483{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381668Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:17.482{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381667Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:17.482{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381666Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:17.482{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-DB09-6152-2528-00000000FD01}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001381665Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:17.482{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DB09-6152-2528-00000000FD01}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001381664Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:17.476{5EBD8912-DB09-6152-2528-00000000FD01}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001381663Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:17.428{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2598276F60F96875155683A4307FDDF1,SHA256=CB67F8F9539EE12A8FF85A3D7F7C89435A1D6E656037BD522FAF21C61C02A153,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287631Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:14.449{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-29146-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287630Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:13.478{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61537-false10.0.1.12-8000- 354300x80000000000000001287629Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:13.344{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-6925-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287628Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:13.344{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-22331-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287627Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:17.189{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6237B9BF5DC464ED26ACD94069C90C3C,SHA256=1C3132DBDA6401CA085B039CCF302453580FF94B71EC2503C2C82CA04EBD5852,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381662Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:17.331{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=04E9D4A8DAA3405D363598591A831BB8,SHA256=5EBB29CC271BC065C214B5C15148AF466243C7BB276B93DE8CCE84A9A4CB0E8D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001381661Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:17.032{5EBD8912-DB08-6152-2428-00000000FD01}68246872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001287634Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:18.692{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98316979A94D3996C21EDB4F78080820,SHA256=29CC6B55472DB7268E57F463011C96A38E2AB08944AC708E0F6552369FBCF825,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381680Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:18.480{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D64CCD683C9C8B33EDFAAF65839CEC91,SHA256=72428DA0626F04CDF52012AAA22936E94DBB687AA58027555B1083A909540080,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381679Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:18.431{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90C3269B2D456CBA783D26CF79D04A3E,SHA256=6A77AD60CD6265F0D15C1E08A57B5ED72022B35BE8BB9AC31168D21D2447CA1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287633Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:18.317{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3102633DA57DF273ACC631D049579FFF,SHA256=B701092ED7B5538F31476D5E8126B00E3C95B9AEB7B4AC1FFE2F90580B5A3265,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287637Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:19.723{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F853EF4958D2DCA82B9B65C763A2EF1,SHA256=05E2A9D7E7DE2C082E31CD57B71566A8E6A2B622B05A2C10854B6E6E6C70C8EF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381682Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:18.990{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51276-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001381681Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:19.432{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA5D00919127AF5792BF44072A90ADFB,SHA256=4627313B1CC8982F6D44CF9EDBDD07D0E862CE12E6D04129924D22C93631993C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287636Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:19.442{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=637EDC90FD2D24E46C5CD7C9C94F83CC,SHA256=15F7867D47AD0C7F29F42279D8225A9AC71E789B83CA70E06AEB79B46684B23F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287635Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:14.560{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-13061-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287642Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:20.802{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB19AD51992310215DCD398974B39FB3,SHA256=98A050B97C9EE9C2BB84375592D34E3670046E7C4DB80A55DF2BDDF4CDA25486,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381691Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:20.432{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=196C33722270275413775679A95325E6,SHA256=5FCB6FB2D19E2C8E62A70328A2CB39BB106AF51A3104A3E2ACAE4CEFD4D1B050,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287641Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:20.567{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4E8FB01F01BD959117E99BB16DB4CE58,SHA256=DC69D3986CD7755F40EF99B285886CC590F5E1C2BA25B108D8B964884F3AE1BE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287640Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:16.703{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-43136-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287639Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:15.703{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-18648-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287638Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:15.575{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-36122-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001381690Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:20.101{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DB0C-6152-2628-00000000FD01}6476C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381689Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:20.101{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-DB0C-6152-2628-00000000FD01}6476C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001381688Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:20.101{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381687Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:20.101{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381686Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:20.101{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381685Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:20.101{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381684Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:20.101{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DB0C-6152-2628-00000000FD01}6476C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001381683Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:20.102{5EBD8912-DB0C-6152-2628-00000000FD01}6476C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001287645Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:21.802{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6CDF0A81F56FFF49EB97CC051978333,SHA256=90E9DD745C6EF03D6E51F0C53ECD7C185B0352C43193432FD241F5BE3C017645,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381693Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:21.432{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=743055ADC459077AF8666C0A06CF39D4,SHA256=0C523E88AD8ABB6D50A42217674B1E8F12A05ECADFA15394A183D93D799CFA25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287644Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:21.645{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B278A27DFB6060635D8FB38E4C7415F9,SHA256=7C98B390D385418C7F7526082A66A84C915F488FC88F366B136967438A3DA94E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287643Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:16.900{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-24290-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001381692Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:21.117{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=16FC519321A2E6259470020C43FD4701,SHA256=169C3778DB695333C9360D160E5A1B0F6A11C6CD6309DD134390097668FD1260,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287664Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:22.802{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8324E03A660DAD1F3A708088A9152362,SHA256=7BAEC8E021E277EF1E33C4567E3CF7061F91D74ED6AD50601AB91F154ED39C9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381694Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:22.447{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A704A70AB3E05D2FF8F75DCB3249ABB3,SHA256=D40C3C6ECEB339A0F84C92E408B69AE94FB90E1DFDC34DBF3965BF3C65E309A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287663Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:22.723{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8195F3E40A169B41461583C8DE7F82BF,SHA256=76E121B43C38D232F8BB0195F3906B23EEFE09EAAD2B32F44F08B47F189DEFD0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001287662Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:22.598{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DB0E-6152-1DA1-00000000FD01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287661Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:22.598{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287660Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:22.598{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287659Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:22.598{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287658Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:22.598{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287657Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:22.598{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287656Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:22.598{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287655Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:22.598{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287654Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:22.598{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287653Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:22.598{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287652Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:22.598{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-DB0E-6152-1DA1-00000000FD01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001287651Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:22.598{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DB0E-6152-1DA1-00000000FD01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001287650Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:22.584{69CF5F33-DB0E-6152-1DA1-00000000FD01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001287649Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:19.141{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-35686-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287648Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:18.939{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-57017-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287647Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:18.017{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-30156-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287646Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:17.814{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-50217-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287669Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:23.864{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=86FD1DF311AF745C08DD7A286992D989,SHA256=2715885C60FAE7A321E74822213FC66E26FF9C60261A551C69214021E54AF40A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287668Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:23.817{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD7B8069809E111838F0717F5813C9AA,SHA256=062DE4D4B73574F534D4A68AE965EF38A6AC90B0EB74F30FA0FF9A268DD614E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381695Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:23.482{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=063FFC4CB507BF66473A6B46A02C0CAD,SHA256=A223C4BD880E691E532D04F97499820A8049223334B379AFFDE891702609EB38,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287667Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:20.295{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-41380-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287666Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:20.018{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-4464-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287665Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:19.434{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61538-false10.0.1.12-8000- 23542300x80000000000000001287673Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:24.958{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=78A9A4EA0DABCED15219BA464898DCF9,SHA256=E938FAB29B36A1DCECDE5A2CC633CA9071D076BED413511DB212E09336D83A0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287672Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:24.817{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71554282CB8B41D212543DD60F74F4E9,SHA256=45B1D5530D30D171A7D52F56FF721326B0E710DC673BEAF653352D7902088A3D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381697Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:24.169{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51277-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001381696Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:24.498{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C81C0DEEB52545DC03E8DF4ABBE8C86A,SHA256=64C9EFC01CF02D888D4A3F8F308318B7BEC6C16F0A2E99E22014F38DFF23177D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287671Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:21.405{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-46994-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287670Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:21.110{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-10979-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287676Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:25.833{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=239AC50EB8827DB3860D94E345B92528,SHA256=A4C482D20C71FD4F332D09C166256C796B6E20E40E5F1783E3CF9E445EE3CB1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381698Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:25.499{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E5F2663047536B3DABAC2B18594E6B2,SHA256=2139B0DF340CD1123C8F5597EB27978CE3348FF8484BE480F10A322C862147E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287675Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:22.557{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-52863-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287674Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:22.236{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-17825-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287679Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:26.848{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4556C281312AFA79873C2A5A77CCB21D,SHA256=9B1104D6CD5ADCCFCCC7DFF20E0F5D799F05284EC0089DE482D70293F04787D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381699Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:26.560{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=533A6A6A4F57847D71A6558C870025B3,SHA256=6CA443C4E5DACA0567BCD87A61F9B7F740B7033697C9D9A073924E12D774CD2A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287678Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:23.380{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-24769-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287677Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:26.114{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6FC7495F57AED740443582A624BB4DB9,SHA256=FBB4D05A4CCB369B9DA86C30A52F5FDD81C19FDC8B8C0A6CDBD49DF22F75F2F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287683Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:27.864{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15F73F0EAF36BB3A532318FFA137BF1A,SHA256=516C4A00938FCB192B6F854CF5E3C9DF3875D2A3174A45B948D4B98E636E39A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381700Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:27.596{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5031D9D7AC8E4EBE2F9EC060008E17F,SHA256=56117E2A24BE866FDD591EDAE3A342D2977A0A341F675F3AE1082CD30DB58A15,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287682Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:24.575{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61539-false10.0.1.12-8000- 354300x80000000000000001287681Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:24.486{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-31568-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287680Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:27.192{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1E216AA51C5AD241F10003F46F2ACBB7,SHA256=EBD707040971DF84F6F40F2A6A714BA1B3A37E1B57508E68705698412F8D2578,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287686Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:28.880{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE570B12ECFF98A0ADAE457931888499,SHA256=21AAB2B2DF25231E6086BFB8F63C5DF3C497689947E1571F6EC709B12D6D29F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381703Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:28.627{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A9D08215B3C0A85BF48C886E4C85779,SHA256=C10A76B6AD607ABF1363AC9209ABB727243EB078CA2D72ABE7CDFD44144F3412,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287685Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:25.580{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-38244-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287684Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:28.317{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=10C953BC275FA530A9D258E30F07EAFC,SHA256=5ABE112351CF3A4B42A7FBDAA919EB7D11D620344B5F33C568A33B5DCB18552D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381702Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:28.243{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=363711E368C08FDE864EC62A9FE2F1E9,SHA256=90BACF7D938014AA30CB49AF4DD6BCAF63A7FF14548811B12113DE16C7D30064,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381701Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:28.243{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0C53A41EB7C2C5F811CBE33626FC7379,SHA256=BC613955910A527A72C5D4DA8F42DDE1F65EB2ACDCED3033B11AD6CD1C55296D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287689Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:29.895{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B832A7D3F211BCF1111FE3E73AC4BC26,SHA256=42BF2E88CA090BED0E7CD660A1B67D840DCF74DCB73DDB9070C93A8C34E92A19,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381705Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:29.187{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51278-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001381704Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:29.641{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=926372636B3764351C806D57659FAD90,SHA256=15A17BA52C7234A9954DEE15DF783B7B005A2AF7159EAA6F2C7126DCA92C30B4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287688Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:26.689{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-45049-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287687Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:29.395{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2447645AC628796B7FA02BF13A27FB59,SHA256=39E771D897458C4E64E2510FA918CB14C7F5D31F1ECAFBD0FE646FF3BA4129C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381706Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:30.693{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C694054BEF2E947DFDE595E2F2708D1,SHA256=960D23AC340B4AB931B783092CED58CA3FFB39B5C08BA02D657886C7E2E10CBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287692Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:30.895{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9E4D14F422A425CC7BE05C694533E8F,SHA256=FBBADDAB64F6CE2E01898A38C98DF04BB90ADC550BAA4AFF75EC1874F5F3A00C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287691Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:27.767{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-51194-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287690Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:30.473{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6BBBE14D48E931A713CB404497DAB77F,SHA256=360AD2BB375CE6A959A90F18603DD6F30DE32AC9A01F985E566189B0797640FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381707Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:31.694{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E78382DBDEC3920D3149379C4BD67AE,SHA256=9878E12E11DC60C4ADD910CA90E1826ED583E8C7095AE5989D134AC667297BC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287694Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:31.895{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AD411765C1334D19168E72571DE5E3F,SHA256=CD5609376A3C0D8D1EDCBB539FFAAC4797D01E7832944F184F727E60D279E1FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287693Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:31.551{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FB45DEDF84ACE39D504E64CE22DB3A6E,SHA256=116D7D76367C09A9518449F039C11844831432B00DEB9B1228F943A58E36F0FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287697Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:32.911{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC68E1124DE16824C30C022A6852FAD7,SHA256=1656169E9C87B0089474EE8C1DE43E7B7933DC26D351A6E68B6D535928437A4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381708Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:32.709{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94C47DAB3DEDD313CC8CC430F4FE0943,SHA256=7239FD51506D52789FD879D226DFA0688E50BF49536CA04F53B41A978DEB6CBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287696Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:32.630{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B2B45B39E532C3C3740E29AF1F142D58,SHA256=EBADB836836823082886114C07F0A9791D76A6262368B5F67D4BDE0938EA4FFB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287695Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:28.845{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-57682-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287701Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:33.926{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09CF50D5C7F91C5305C9A92ED04140DF,SHA256=F46DCD987954CD7D7EE7C5D20E9FB1D9AB365C9C04430B7CBC7E4ACDB303493E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381709Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:33.725{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95561661DE0B1FEF0FD1EC248196F0CE,SHA256=039673DFEABD6C0C2C0145BF74E6EAAB1A854243BCCB650AF934DDA86AB20523,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287700Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:30.528{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61540-false10.0.1.12-8000- 354300x80000000000000001287699Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:29.923{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-5311-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287698Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:33.708{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D01A9EA4514EEDCB0D76E167BB0AFE4E,SHA256=98EAE5FB54C3C2C8F406D5D3EB7C68747CAE90F481BAFA2F31C5317C9B3FA3AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381710Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:34.755{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC14901C71C36D336616D0C6E54568CA,SHA256=48D1D35BFDB43EA2FA0ED52A2473EC5C3DD75491430F145B1038C956AC3D43C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287707Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:34.927{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A5FABBD08DE5CFC810B01C821F6F7DE,SHA256=481883C90C3C3D1A68F0A552DA8E36A11D8D02A8F46275FDAA1249A49E6CA363,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287706Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:34.927{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B34FDF287F2DA8F2F0CF1B5EA7D8FA7A,SHA256=FC5DCCDA515002156D3283B0F2DDC7F0DCA389C7393F4042DA3C9E5F732AA922,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287705Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:32.095{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-18211-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287704Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:31.378{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-37873-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287703Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:31.354{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-37754-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287702Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:31.001{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-11630-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287709Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:35.942{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B5FE2F31B9D9630349EAB18D5DA2B91,SHA256=718FC4977E1A49355DCDFD65EE229AF81E37D714766E9F6EF8E2919F9AB043F7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381712Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:35.215{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51279-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001381711Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:35.777{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=947AC42A76C8EBBAF4FC5BFFA916D924,SHA256=35D788AB3E120AA71A324186ABB41AA4C178ED4AB2AC38117B5DD03AED322C65,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287708Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:32.665{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-44212-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287713Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:36.942{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68D63EF34078E2280C3C31743647FCCF,SHA256=84505CAEE495565479AE72B6DBB4761608CB3BF8C19CE6C4B666C0409E685ECD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381713Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:36.823{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B609A9298226B6EA34C91DD84D373DC0,SHA256=C09A9B836C1E6FBE3EF71367EAF5897E8D8D25A64E977101FF9A699ADB553739,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287712Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:33.985{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-50640-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287711Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:33.314{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-25704-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287710Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:36.020{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F71EA366A8DDC58CCA5ABC9E40E342B,SHA256=B66E4C8D1A884C7915FE020917C0B9AC08AEEBDE65D7B225E217A81359858519,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287715Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:37.945{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A038653537154ACC17FBF62A4D02F95,SHA256=61006E4E0808694D973FE1C5CCD07E1DCF245272EAAE5ACF664A1C6378E1CCEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381714Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:37.838{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=467CD12E5B952C45730B9DE540E09F20,SHA256=8907084CB759C720629BB282733F102A3182698CBBCFFC97EAE2BE9D8AFC25F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287714Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:37.083{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BECFFA6AD92E9E3A13C947AB6FEEBC50,SHA256=8EDF3BA747E43A61FDA8CFFD2A11F88FBA0CF09945C68C335AE391F1A10B9ECF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287719Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:38.945{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85303F19C839F2D7952348257607EB1C,SHA256=93EE157008B405D7E7A5AC43308CAC227BFAF98513E0B619B7BFD23F1F18975F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381715Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:38.853{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAEF62A33931875B4FEFEBA3F1EF9709,SHA256=62804FCB21C52E31018B745400619B5153B6BA044C2AC39590021103FB7A9CD6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287718Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:35.064{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-56414-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287717Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:34.392{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-32208-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287716Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:38.179{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D2A48F53EDCD401B0080421D84AEB86C,SHA256=AEB52E656D67F65A3674ED509CB3C89893AF4718446ACC8DA3540FDCF4010367,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381716Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:39.872{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1363C26DCCE93965FE526B7C620B511,SHA256=F92576CB6666B6E202109EF55B63B724E0F6B4252EE968280B942F17FC444CB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287723Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:39.960{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0890A80E0DA9D265517B88AD3D8680B,SHA256=466FC50041113F4DAFE10D00CAB8EBDDF9AAE3C86713A568E495A501E2B03783,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287722Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:39.257{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=23B750DBB14C742E6ED970CFB3AEC5E0,SHA256=A53F62049C5B57CB1A9E6A3917C5A1F43DC42020478FEB73AFC36EDB0B93E76B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287721Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:36.189{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-3008-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287720Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:35.470{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-38534-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001381717Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:40.889{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AE57B20B964627E3C9F29C15B26AAEB,SHA256=37623D9A27419CDB48BA7F00B1EBFF9EF5BC0D5A4D10864CA107DF85DB6596DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287727Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:40.976{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55A6D3F08E8755038CD2F6EF56B4A13F,SHA256=26212800C20466CEEF159B27B817F86DC181C4267746EFFD52F626DF1242EF3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287726Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:40.398{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=370374C0BE6E41DD82F6279089B288AD,SHA256=C194D1C37A8C726819C3E3AA60991DC5A82A81E4E79532F7C6F4CB6D676AEAE6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287725Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:36.566{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-45056-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287724Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:36.515{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61541-false10.0.1.12-8000- 23542300x80000000000000001381718Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:41.920{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=682B2EE0E840FB24333F31472C0FEDEB,SHA256=A454F85AEF03AF67D779B00040DE0930B8DEF7E87524A39C39518EECC8DD5047,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287731Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:41.991{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FA8F661D4D71F16F45CB6F61A8291AD,SHA256=DBE0BD6A27FCF3D2EDDEBE823FC3B689B0BE859FF209428A21EED4F3B8AD6B9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287730Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:41.460{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB1E098780CF369EF1F83A6F1D3D712B,SHA256=E7F8D0A88FA365E3DB87ABE3FAAD5E869CCFE65351DE7966A6650158719DFEAA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287729Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:37.659{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-51607-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287728Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:37.441{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-9308-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287734Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:42.991{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35591A9EC6B4135939FDF046580B4980,SHA256=EAEA6EF882D0A98B424875B031192FAAF8E472ABA285BE3B4D12732EBBC1AB88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381722Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:42.988{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=060336D9E4FB23DF23C5880BEDC723FC,SHA256=E3FF18B4527D299DC7571528821FCEDFB81AEEF29DB72789CDB414CD807D0AC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381721Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:42.988{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=363711E368C08FDE864EC62A9FE2F1E9,SHA256=90BACF7D938014AA30CB49AF4DD6BCAF63A7FF14548811B12113DE16C7D30064,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381720Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:42.935{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CE89F09080ED95604A0FCEE01EA46D5,SHA256=3F7FE580B30A1D84F3BB81AD7D20E116DB7975CD0980F6794353997F8E3ACF2E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381719Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:41.196{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51280-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001287733Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:42.523{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BB64E6F78F057DE13D589FD20C56435B,SHA256=41DC282CFDD884CBD03319AC1A3104ADA107C234E036EF90A472DB8456068B9E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287732Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:38.553{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-14944-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001381725Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:43.950{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ACDDE4C606485F8999AEE269F5568F5,SHA256=D82391CA109657C377AC60241AB99D04363DD89BCB42097D4F7BDB6054CB27D9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381724Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:42.958{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local51281-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001381723Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:42.958{5EBD8912-8CD0-6151-2800-00000000FD01}2200C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local51281-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 23542300x80000000000000001287767Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:43.820{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0BF40059594C9B6C187FF8E68B30AC82,SHA256=09601B919570D71A5ADCFDE6B348BD0254759BFCBE140E3F589F39DA7C7C96EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287766Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:40.561{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-10281-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287765Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:40.539{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-10143-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287764Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:40.517{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-9996-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287763Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:40.495{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-9801-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287762Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:40.461{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-9681-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287761Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:40.439{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-9447-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287760Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:40.401{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-9313-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287759Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:40.380{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-9088-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287758Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:40.345{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-8902-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287757Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:40.321{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-8757-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287756Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:40.299{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-8599-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287755Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:40.277{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-8481-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287754Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:40.255{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-8222-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287753Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:40.216{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-7979-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287752Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:40.180{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-7813-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287751Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:40.157{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-7670-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287750Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:40.135{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-7360-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287749Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:40.101{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-7077-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287748Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:40.062{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-6986-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287747Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:40.036{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-6797-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287746Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:39.999{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-6582-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287745Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:39.961{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-6466-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287744Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:39.940{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-6327-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287743Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:39.917{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-6201-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287742Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:39.895{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-5976-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287741Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:39.860{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-5778-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287740Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:39.817{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-21159-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287739Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:39.793{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-20990-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287738Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:39.770{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-20725-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287737Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:39.729{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-20572-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287736Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:39.707{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-20455-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287735Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:38.769{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-58407-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001381726Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:44.968{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5B0027AD481B95617F2F672A12C6ED8,SHA256=4A4FFC0B01CA3BC8238DDF3981713DEAF557EB011C0CF927596808AB6D016C8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287788Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:44.929{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1DCBC3A13F1A5E49A173019921052C2A,SHA256=5B8D5F94501683625C2E71C213740A5ECB791B4ED7BC06A2B5CD0838AF58EC8F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287787Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:41.051{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-27630-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287786Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:41.029{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-27494-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287785Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:41.006{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-27240-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287784Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:40.955{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-12334-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287783Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:40.933{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-12150-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287782Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:40.910{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-26800-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287781Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:40.897{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-12011-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287780Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:40.875{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-11895-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287779Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:40.853{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-11808-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287778Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:40.831{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-11696-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287777Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:40.810{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-11528-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287776Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:40.773{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-11355-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287775Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:40.736{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-11260-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287774Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:40.714{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-11122-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287773Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:40.680{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-10854-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287772Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:40.641{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-10747-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287771Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:40.619{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-10628-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287770Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:40.596{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-10409-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287769Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:44.211{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=A56FE9E816532D095B1AEB30384087C9,SHA256=3B06A92ABB104EA0A8E9447CDE609EF4B23251ACB5DDD95ACCB3499A00950757,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287768Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:44.179{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36A6EFFDBA614E30242F9C1B5A3026E3,SHA256=6FD0D37C756BA57C7D78F6A9A56EB9C44D53FC6CD8B5669E1DA0EDF5C9F389EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381727Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:45.987{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3660B18520E2000EF7178CCA22334D0,SHA256=CBDA9B9B50F4FD89396C034716B6C63D32ECA667B4C5EB10E8B81C5D3ACEFC07,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287791Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:42.192{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-33381-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287790Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:41.087{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-27750-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287789Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:45.398{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB8BC781124E43CB3A7ECE25FC03993E,SHA256=635AE47A26C11F30E3089241517E5AF6D778362868F50E29FA93F6AEE4CC25CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381728Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:46.988{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC60E9C6BB22B09E4B9C2AE07E07A667,SHA256=9113A0410B8C8600C56462B9E63C5B46D22E575FD2AA7A213ED9FF8905F77C3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287796Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:46.916{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287795Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:42.562{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61542-false10.0.1.12-8000- 354300x80000000000000001287794Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:42.216{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-33492-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287793Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:46.413{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FE7C9233F6A69D1E3BE30DA98B502FF,SHA256=42A0E774DD45DA5EE4F71EC3BFCE435B5A9DD67A2BD7296562F5BFB5BE366E7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287792Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:46.116{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B6BC101E14D0C5DB98557D9DE6E8876E,SHA256=195D2913F38BF8A5BEE6E3286C19E64B80F04458BB648CC9A5D5D0C3AF80A0CD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287800Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:43.372{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-39019-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287799Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:47.483{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FEDA996014098DE39C2A14457306232,SHA256=5848A88CA2FEFD4C6F29C320151E78BD607E7168F0BFF2A55ED9B0C5D79F6A30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381729Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:47.450{5EBD8912-8CD0-6151-3000-00000000FD01}1956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287798Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:47.294{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-5707MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287797Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:47.259{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=873A2CB70F922E110722540BD61BE92A,SHA256=DFB425AD5ABD40E34BC8C1440BAF1A6766D2DC32589B11EFFDBD3C48A74A4945,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287805Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:48.674{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD67AFEC197F4FE1DEB2B5388651E980,SHA256=2CA52CF2C673ED9B51DF02D3C23BAC6EE49AB5BAAC715CD87B93B393D50A7EA2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381731Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:47.110{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51282-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001381730Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:48.018{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2137A01A980284C7D3B252BF8A3ED5BB,SHA256=37D933CD3B3B2D4F42672DCAE90C212DE7F6450A5297F264A7B769B6697649F7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287804Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:45.252{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61543-false10.0.1.12-8089- 354300x80000000000000001287803Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:44.536{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-44899-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287802Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:48.330{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=22B5CFCC5819717A80F220B2A2102547,SHA256=E1B12CDB9A10DD47EBE876395C6892AFAD072837AAAD3DD15AA068803DF87396,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287801Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:48.297{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-5708MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287809Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:49.801{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4B24833B9F336D7FD3D1EDA4296DE17,SHA256=BD69AF4E37C11B4BA73BDC5D74B3496A2371184C56E8C99B98F10A2FAB89D43F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381733Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:48.425{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51283-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001381732Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:49.033{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACB5A28CC2A5FD0886A62CF9302A45EE,SHA256=F51C34227AD14F7E811B578322EF9B4A634F67329846E2333FBB66603EC93CE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287808Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:49.770{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3A212DCCCA26BE77EA9F60FDB4F8764C,SHA256=A66C6592E6B20D18A222BF3DB1AC73B37A0673481DB42C6229F4846EABA6DFB6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287807Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:46.734{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-55901-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287806Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:45.631{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-50440-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287819Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:50.879{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79F5EB085458AF051E34855EEB1D3C0D,SHA256=C7E751F0AEE41A22DC4016405C3B2F616BD34B97A4F5D441DCD1D0286488372F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381735Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:50.306{5EBD8912-8CD0-6151-2F00-00000000FD01}2544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210927092018-1390MD5=418358CD28D1B50422280074BE968B1D,SHA256=C8286C1C0A91E4E2C2FF9D12E0FDD08F235EAD61265C1678C815B6AB5A1254BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381734Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:50.048{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E294853EA0404F26B523E29AB28FF851,SHA256=3104326734EA1438FB9CEB337BF7653DDC3F3189692BEF8333A190A6DE132988,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287818Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:50.864{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C94164841DF80019CA69CC1738C52B36,SHA256=8E19FB8C4B05D5828D8A9BB5BF9ECB2404A73ED3C7708EBD2E55E28F293E2A5B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287817Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:46.928{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-57111-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287816Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:46.904{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-56989-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287815Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:46.880{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-56881-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287814Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:46.856{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-56761-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287813Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:46.832{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-56619-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287812Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:46.807{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-56460-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287811Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:46.784{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-56343-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287810Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:46.759{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-56156-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287820Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:51.911{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00B6CA05A9894B8777594D11E1CC0F5A,SHA256=7EB5DF036BDDC480EBFAFCFF8F6384E159A8A3E66058836AD1CFE4901826896B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381737Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:51.317{5EBD8912-8CD0-6151-2F00-00000000FD01}2544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210927092016-1391MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381736Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:51.067{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C9D825E4A9F5E2A6F51C4C4B832CFEA,SHA256=37DB1EF279E91E5B8F733119FB3EDE9012B03A75A522BC28EDA6F712678C93DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381738Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:52.086{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D67622752E81EF0C47E4400DE79E4497,SHA256=8243B691ADEC802D34E99E76192263F1513ADEE95C79DD3BE6CE5B4DE13CF6C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287823Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:48.544{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61544-false10.0.1.12-8000- 354300x80000000000000001287822Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:48.151{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-4055-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287821Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:52.114{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A198A443D6BAF62A3AFE6CE22E9182CA,SHA256=EB3FCA7AA64359AFBB1DA4D0B0CAA88881D6A4F947A682D97F70AB72D2478851,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287825Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:53.208{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5E68A423C26F0FCF258C0FA854CD0824,SHA256=8A1BC7F735654586304432AD2CFAA16D9A5BCF2201E0820C4FAAF81732D5D083,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287824Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:53.051{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53F76D27A263740FA9376644C9721B79,SHA256=6EED8272866CE659D232E418E3E5DD8154CA0E4989B31ED86E7F20CA57E058A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381739Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:53.101{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4843BCFD5D6A09D10896677596DB0AD8,SHA256=F4DB10B1C2D147D6B33031DC96455E3730BBDC9FFA350A11CC492B5425463625,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381741Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:53.040{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51284-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001381740Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:54.115{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE2788A388CE03BA47B73B085F0A1DBB,SHA256=B1B4320D3F11D7B77F2668BB470F11B5A17E1EB081C414E43611707228CAB175,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287829Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:54.301{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C04FC72188E8AC5C00C1318501A25CD5,SHA256=CC159C35E2C9BD347ACC6BBD689FE7238B28487D4287FD7BFA45DB173627B5C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287828Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:54.051{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C3232A6CE71B416F9751EBE5B517046,SHA256=A453C94C04F0234FB2D04742E2DB1BF890A3E08E67070410467D251080581D7F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287827Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:50.488{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-15773-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287826Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:49.373{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-10215-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001381742Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:55.145{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE3449D4FE1CC22F77B4AF97A05B8688,SHA256=94361F53CE7687B78F83BEF1C4FA49874F1C23747643FFA63DD90A501E40806A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287832Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:55.442{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=529D2F7531D43EBCC87E3EDE098E5C62,SHA256=9481A471C0F533DF32AD3F2615A567D59377B59540E33896473671E6B44FB9AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287831Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:55.083{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AD78A56EA5C83C35E1AB5D89E6A249B,SHA256=81A79B5C7BA39B73F2B87164917AD854A8AB2FF094F06E09A01317EBED38F28B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287830Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:51.582{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-21150-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001381743Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:56.198{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=203A121F32FA2C1560EBF3806C811C41,SHA256=4CF333D88031E6C02BE19897640A4CDB4FA57860F4BCA60B2A473A672B9D0883,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287835Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:56.614{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EEA177B62D1DD8270C09E4F597E20292,SHA256=F6CC1B72A0246334A098EFDE14CEF99AA69C06091E0982B90BA860E2AAC8060E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287834Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:52.696{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-26974-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287833Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:56.098{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52E8DD4DE01C5C8BDEC478F9E4959172,SHA256=1D242A9C44CF19EB969C207AE62DC1A3F9D53C7CAC5744486D3EA2A512297AEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381744Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:57.212{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E653A01473826C63C32AE2DFA3724CA9,SHA256=C51CE21F5A882CDAE9B91E90CCA9DEDC41AD17ED5F23A445188E7178D988D3F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287838Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:57.793{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=540CFBE919A47E9A64AF41F8189F7B95,SHA256=F9819D8484152A9AA3BC20AD3153AC47DD9F4D8CC1BB75B54EF2A5677CB03C93,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287837Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:53.829{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-32905-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287836Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:57.098{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A41C072CB13C649237EA44DD163750B,SHA256=D9B48F9B08B2B9E28F7F57D2C2B429341D783B9E19F2CEF05949C7843BF05AB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287843Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:58.871{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=69B4E36B290073B8667AEE833F60E5AE,SHA256=857BA2B1CBBA17CD8E4AC975615072E3C19CA6864F7370370FE8D510F6C5705F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287842Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:54.994{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-38524-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287841Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:54.481{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61545-false10.0.1.12-8000- 354300x80000000000000001287840Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:53.869{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-33024-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287839Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:58.106{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78969FF31560F813F3B943A8B2F6C538,SHA256=6ABF50F5BECB4849EEFAC0EABAB744E60A333CCCA90C8137EC48CC1865E41D68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381745Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:58.227{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=809DD6019E854D3993FAB48904A47784,SHA256=E7E27AB6BACDE29BCC2306A4487F4528395A644080E7FFB650CCAA75A01DDA21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287844Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:59.106{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E96D7FF2DBD3E8594AABFD487A74FDB8,SHA256=BEFAA9A19DDEC04BFE9EA85C45157C87479B81CE05B1071F908A788019B4367A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381747Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:58.250{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51285-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001381746Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:59.242{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A172ED05FC825B18268DC97447C1A200,SHA256=FBDE32E221BE9997776EF69FE19F7272BC05A6B4B1C1387B6E66D53E87EB71C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381748Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:00.261{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05E9BBE2B2911BD3088DB4613FF2C6BD,SHA256=7A2EDEE4EBAA44818FCE51F8C65D6AFF2583F599160C64DF63F1F6CDDDEA7B29,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287853Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:57.388{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-50705-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287852Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:57.362{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-50504-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287851Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:57.336{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-50274-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287850Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:57.291{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-50181-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287849Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:57.267{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-50115-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287848Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:57.244{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-49982-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287847Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:56.165{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-44202-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287846Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:00.137{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D1FC7050F4DFA402B09279579D061294,SHA256=398B42AFF96C059EA646346DE80F54DDFB194EB62E7CB10F911E11E2F244FF7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287845Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:00.121{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3D9FF0B5D279A7BB14C782B6BA1A307,SHA256=9D005B94867E034797ABB19EE88991792620A8DF84FE34CDDF930A189CE3112A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381749Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:01.279{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=353498A6015F8E50FAA384E8FA82B3C3,SHA256=076D239D9443D494B43EB8E02315AAF301D1925FEA4B1B6A21876A1E93D5C77C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287856Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:57.412{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-50890-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287855Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:01.277{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8183AE8741865B597C6D7501CF4E19A3,SHA256=513E299C4568F05713479758E47F46414ED6415627827A9E487450EABF4FD65E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287854Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:01.121{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C88CBE2939A5B2352B3E4852BD719D0,SHA256=692C1AC3FF5211A995D3AB1380EEEB6135DF666E6A61E45002DC428E1DE4A587,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381750Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:02.309{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F868F6BF6A04452E397163A80CB2F485,SHA256=C0B48123C42425080C6122CF175EE22A6CE97EE024D6B23D0CAC7041D71BD428,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287872Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:02.699{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=791216D53F50C11ADCB0ADC23E0B3044,SHA256=26FD6FBA8BFE4D4AB1BC8F4CD7B1A363827E83FD331696E362800922EA72D930,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001287871Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:07:02.465{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001287870Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:07:02.465{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x14f0294b) 13241300x80000000000000001287869Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:07:02.465{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b43f-0xd1274392) 13241300x80000000000000001287868Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:07:02.465{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b448-0x32ebab92) 13241300x80000000000000001287867Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:07:02.465{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b450-0x94b01392) 13241300x80000000000000001287866Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:07:02.465{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001287865Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:07:02.465{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x14f0294b) 13241300x80000000000000001287864Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:07:02.465{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b43f-0xd1274392) 13241300x80000000000000001287863Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:07:02.465{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b448-0x32ebab92) 13241300x80000000000000001287862Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:07:02.465{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b450-0x94b01392) 354300x80000000000000001287861Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:59.141{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com48904-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287860Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:58.567{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-56705-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287859Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:58.545{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-56587-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287858Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:58.523{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-56388-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287857Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:02.137{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1466DB0DC96ECCDAFF4ED9E3004E5EBB,SHA256=0AB78CCE562CA13EB09A7DC875D15CE891A83E6F20D8647AF92FD1D4ECC70E00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381751Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:03.358{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F12D3E2DD6D8C9B8388F216BFD30B1E,SHA256=DF8D9D84D14384829DB5B89E95E6FFA34D39850AF50D5388A8BC4AED8E014A65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287875Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:03.965{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E40920A9866902A9D74B44C0AFCFD8A4,SHA256=A814EF0B1FE96E6D0D92E2C6C71A9AF198475CE8DE57711AA6292D05EABC0DD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287874Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:03.152{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE526B522487694C3A06A0A303737214,SHA256=BE41436C3F136B9B4152681D62FAF97762EA8D5FDA0B7D06E39BC489CAEEF743,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287873Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:59.865{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-4273-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001381753Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:04.169{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51286-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001381752Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:04.376{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66D94F8C751517BBAEC0254DE8FA66F7,SHA256=51C228F887D487BEB6EC6EF68E8AFFAFA850868500D250E25EB07659BFE89400,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287883Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:01.186{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-10654-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287882Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:01.163{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-10533-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287881Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:01.141{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-10360-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287880Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:01.117{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-10230-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287879Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:01.094{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-10117-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287878Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:01.071{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-10016-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287877Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:00.520{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61546-false10.0.1.12-8000- 23542300x80000000000000001287876Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:04.152{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAEC01CDD48B3F47B59FCDEC5FE0C421,SHA256=A46454AAEE8C63259253D99B515189B147A7061FCE37FC4F4C27ABAD3582FCF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381754Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:05.377{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15FFC9297ACC051974B23A550A0F0801,SHA256=1BBC684E98D72334F28B6BD5431FBB68F52E53C5970B246917E646202BE92E1F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287888Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:02.337{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-16722-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287887Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:02.097{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse122.155.197.221-59171-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287886Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:01.222{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-10774-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287885Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:05.371{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B46BDD2277C83776C69DABE923880732,SHA256=218BA8658259B7BCCF90C366B6F44722987CE34F2ECA48D34E6BC1DECE12AAEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287884Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:05.043{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=50DE7C7FF951017770BA3A6F1B9B53F3,SHA256=668982E478A6DBB89AE9E6FEF436A8FC3C05D42215EDACF1E5EE185135E933DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287892Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:06.574{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68BC8BC493DF8D3CEC9C7CFB39DEBE04,SHA256=92A283A663D45BBD75B8AB4E4B21F7AED25AC5E8A1CDC9A8BED53FCDD9958E9C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381756Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:05.284{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse122.155.197.221-59331-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381755Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:06.391{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E542332CB8F2A184837D2C9D396F4F9,SHA256=9CBE0ABDBEDAC2A69C24233C0777450075740D6D955A296D8FB9BB6313916013,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287891Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:03.500{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-22427-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287890Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:03.415{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-22198-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287889Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:06.293{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7FFC86FC166F9D7EE03D1ED9B01D1C76,SHA256=A5281867FDD71C4412877CBB8A0D84A8EE790169411E1D43AF88BCF4066FAD3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287894Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:07.574{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBE633503CED0DE990FACCBA1286A2DC,SHA256=5A37239152F1475DEA0FBF165706B120EFCD72DD352DB9E7D71791AFF01CD265,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381759Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:07.406{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFBBE8B00B72A17EEBED9953647F92C0,SHA256=BFEFF7D8D642C36AE0AD0EAF531305CE5E654D0DFA82061BA06A83AE9325A65F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287893Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:04.665{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-28526-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001381758Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:07.337{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6182B388958C60B9390F5361FE88179A,SHA256=33B845BF280E190EA60C0BFEB3C184253E04EBD7F44580843443198A8B059FCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381757Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:07.337{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=060336D9E4FB23DF23C5880BEDC723FC,SHA256=E3FF18B4527D299DC7571528821FCEDFB81AEEF29DB72789CDB414CD807D0AC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287895Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:08.684{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6514580947EC7AC5E2A87C9D168A9534,SHA256=78C8EDBB0501E260E752EE718E60AF10744E579F255A9CF8F8D300F6A7F06BAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381760Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:08.421{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A0D4308D41A22919E33702412E833FA,SHA256=2F3A21D4B1967231A8AF6FA92CD95AD8DF0857B2C114EA920409A696E7A4E25E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287896Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:09.715{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2734B7572E622E2BEDB6E71277BC5AE1,SHA256=4C53CC00A6E59B0415A98120A3610F04E323B5769021393CB305479052752365,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381761Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:09.422{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA06F5FEF574C96F60CEBA06358D76B3,SHA256=1FD04869914B76D09D8AF87D12A6671A035E6121B610067E7DC87AC4E7377771,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287898Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:10.949{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E9FB8CABDFB3E720D8EBFD566D8CF76,SHA256=E9DE989DC8BFF7F7F205E5BD60D860421A35E74BDD1C61F4661009157C223F00,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001381780Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:10.822{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DB3E-6152-2828-00000000FD01}3032C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381779Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:10.822{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381778Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:10.822{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381777Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:10.822{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381776Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:10.822{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381775Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:10.822{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-DB3E-6152-2828-00000000FD01}3032C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001381774Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:10.822{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DB3E-6152-2828-00000000FD01}3032C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001381773Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:10.823{5EBD8912-DB3E-6152-2828-00000000FD01}3032C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001381772Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:10.738{5EBD8912-8CC0-6151-1100-00000000FD01}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=02CAC6827F0A7D10886603F7F2FB6E22,SHA256=68256710DA22A0D1FC7A3DF63CCC98C45A31CFA7BEF337C44C13BBCAB43DC179,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381771Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:10.043{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51287-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001381770Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:10.423{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10F12B5FE95D8FE2A806509766039BA4,SHA256=D98AAD61D8E396BBD87B85161DDD0EBC8BC80A24D5D075AD825DEC1300C600A5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287897Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:06.457{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61547-false10.0.1.12-8000- 10341000x80000000000000001381769Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:10.161{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DB3E-6152-2728-00000000FD01}6516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381768Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:10.161{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381767Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:10.161{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381766Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:10.161{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-DB3E-6152-2728-00000000FD01}6516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001381765Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:10.161{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381764Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:10.161{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381763Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:10.161{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DB3E-6152-2728-00000000FD01}6516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001381762Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:10.156{5EBD8912-DB3E-6152-2728-00000000FD01}6516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001287913Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:11.981{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74B5B541D8C123EF60E0BC085688671F,SHA256=62C49298A40AAB40DB238770F59D6630C4983C68899ABA233EC87F5305C2D8E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381783Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:11.459{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8124113C55A0B2DEBEF4D80FE7A5CB6,SHA256=0B035CD7E49E28DCC7B5874D8E6C8FF5AA6DA7E3929588A25D81748B34BD2B99,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001287912Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:11.699{69CF5F33-DB3F-6152-1EA1-00000000FD01}3828888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287911Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:11.371{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DB3F-6152-1EA1-00000000FD01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287910Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:11.371{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287909Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:11.371{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287908Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:11.371{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287907Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:11.371{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287906Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:11.371{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287905Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:11.371{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287904Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:11.371{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287903Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:11.371{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287902Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:11.371{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287901Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:11.371{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-DB3F-6152-1EA1-00000000FD01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001287900Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:11.371{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DB3F-6152-1EA1-00000000FD01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001287899Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:11.356{69CF5F33-DB3F-6152-1EA1-00000000FD01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001381782Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:11.159{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6182B388958C60B9390F5361FE88179A,SHA256=33B845BF280E190EA60C0BFEB3C184253E04EBD7F44580843443198A8B059FCC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001381781Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:11.069{5EBD8912-DB3E-6152-2828-00000000FD01}30326404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381792Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:12.912{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DB40-6152-2928-00000000FD01}2644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381791Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:12.912{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381790Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:12.912{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381789Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:12.912{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381788Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:12.912{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381787Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:12.912{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-DB40-6152-2928-00000000FD01}2644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001381786Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:12.912{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DB40-6152-2928-00000000FD01}2644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001381785Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:12.913{5EBD8912-DB40-6152-2928-00000000FD01}2644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001381784Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:12.460{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8C1DDFC89FCA82CE931AF5AB65F252A,SHA256=4A2E1494EFECD5B67D2A8706C5C239EBDDD53A273754CAE8C0D2522C5E2CDAAB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001287942Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:12.934{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DB40-6152-20A1-00000000FD01}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287941Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:12.934{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287940Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:12.934{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287939Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:12.934{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287938Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:12.934{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287937Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:12.934{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287936Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:12.934{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287935Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:12.934{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287934Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:12.934{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287933Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:12.934{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287932Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:12.934{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-DB40-6152-20A1-00000000FD01}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001287931Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:12.918{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DB40-6152-20A1-00000000FD01}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001287930Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:12.919{69CF5F33-DB40-6152-20A1-00000000FD01}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001287929Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:12.465{69CF5F33-DB40-6152-1FA1-00000000FD01}36282476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001287928Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:12.418{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BC68C7317A1BEAE795C90BDE26189DA6,SHA256=66570283F007B2852FB038602EBEA6EDC4BDE7F8D8B2CEC121BF3E55D0C748BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287927Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:12.418{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6F8009D2E3087F0EE6D5BFAE1636131F,SHA256=5EB8CA2A5552EE8DAEE2832A85CE345EDB6A23E6EBFE31B66ECE74E1F21DDDA0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001287926Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:12.246{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DB40-6152-1FA1-00000000FD01}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287925Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:12.246{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287924Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:12.246{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287923Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:12.246{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287922Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:12.246{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287921Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:12.246{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287920Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:12.246{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287919Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:12.246{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-DB40-6152-1FA1-00000000FD01}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001287918Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:12.246{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287917Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:12.246{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287916Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:12.246{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287915Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:12.246{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DB40-6152-1FA1-00000000FD01}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001287914Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:12.231{69CF5F33-DB40-6152-1FA1-00000000FD01}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001287958Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:13.981{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BC68C7317A1BEAE795C90BDE26189DA6,SHA256=66570283F007B2852FB038602EBEA6EDC4BDE7F8D8B2CEC121BF3E55D0C748BA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001287957Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:13.763{69CF5F33-DB41-6152-21A1-00000000FD01}14961500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287956Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:13.595{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DB41-6152-21A1-00000000FD01}1496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287955Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:13.595{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287954Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:13.595{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287953Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:13.595{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287952Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:13.595{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287951Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:13.595{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287950Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:13.595{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287949Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:13.595{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287948Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:13.595{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287947Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:13.595{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287946Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:13.595{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-DB41-6152-21A1-00000000FD01}1496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001287945Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:13.595{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DB41-6152-21A1-00000000FD01}1496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001287944Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:13.577{69CF5F33-DB41-6152-21A1-00000000FD01}1496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001287943Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:13.574{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBDD6F9039CAB5E9973FB0C4622415CC,SHA256=F277E7B7FA951FA734AE6B55968D9D0F58A4503D79B85C7F8A7EF214314EF54D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381803Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:13.927{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EDBCF563C844703BDD03462870E994A2,SHA256=396793153AAE8F4B3386A43ED7CBC6010E4B3D3C0214C6A735E3A3588085FB5E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001381802Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:13.612{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DB41-6152-2A28-00000000FD01}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381801Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:13.596{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-DB41-6152-2A28-00000000FD01}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001381800Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:13.596{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381799Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:13.596{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381798Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:13.596{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DB41-6152-2A28-00000000FD01}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381797Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:13.596{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381796Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:13.596{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001381795Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:13.597{5EBD8912-DB41-6152-2A28-00000000FD01}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001381794Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:13.480{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AF2DAD294AA41BB12D830700FA3E185,SHA256=9F9E4110A30A847AA6A414357966BA873DA0E2F3A07FA0DA5B4075FC86EBD427,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001381793Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:13.097{5EBD8912-DB40-6152-2928-00000000FD01}26446300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001287985Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:14.824{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F050BA758A936ED67739140D925F9471,SHA256=91D6929605D35664A71307E3D52DCCA4EB3AA89AAF8CC3210525B6BF86DB3C35,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001287984Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:14.809{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DB42-6152-23A1-00000000FD01}1468C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287983Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:14.809{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287982Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:14.809{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287981Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:14.809{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287980Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:14.809{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287979Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:14.809{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287978Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:14.809{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287977Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:14.809{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287976Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:14.809{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287975Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:14.809{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287974Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:14.809{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-DB42-6152-23A1-00000000FD01}1468C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001287973Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:14.809{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DB42-6152-23A1-00000000FD01}1468C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001287972Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:14.794{69CF5F33-DB42-6152-23A1-00000000FD01}1468C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001381804Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:14.495{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69ED4B153A077B83CBC65F4FF9159A3B,SHA256=36ECC6308899CD393379463D49DCA3C0222801849B417F73B71CEB843BF191F0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001287971Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:14.121{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DB42-6152-22A1-00000000FD01}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287970Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:14.121{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287969Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:14.121{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287968Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:14.121{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287967Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:14.121{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287966Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:14.121{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287965Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:14.121{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287964Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:14.121{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287963Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:14.121{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287962Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:14.121{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287961Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:14.121{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-DB42-6152-22A1-00000000FD01}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001287960Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:14.121{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DB42-6152-22A1-00000000FD01}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001287959Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:14.106{69CF5F33-DB42-6152-22A1-00000000FD01}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001287989Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:12.426{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61548-false10.0.1.12-8000- 23542300x80000000000000001287988Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:15.840{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F219AD73A5FF902875F18F33B16F4E9C,SHA256=3A220DC83FF7AD5CE8A00801B236CDB3FE30E3FE17B132865A0089EF34370796,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381805Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:15.510{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56D0121A7A937CB12237D381747DA7FE,SHA256=CE8E168A514D42A30544A761D1D29BB2BD857BC87DF001629FB65EC9C2E056BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287987Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:15.262{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BC1446E63B04103E5AD4CD13ED7B4252,SHA256=D4982BBEB4D5FED33FEF566E56E0FDFEE34845C375F0C78E1AB5FA361863B459,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001287986Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:15.043{69CF5F33-DB42-6152-23A1-00000000FD01}14681900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001287990Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:16.981{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=484AE2FDD0C204C857C43E930F39DF4F,SHA256=9159D85DD0C7C90A890A1A38632595EB4BE013593042505FB7DF381CBD72CF43,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001381815Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:16.809{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DB44-6152-2B28-00000000FD01}5860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381814Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:16.809{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381813Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:16.809{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381812Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:16.809{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381811Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:16.809{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381810Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:16.809{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-DB44-6152-2B28-00000000FD01}5860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001381809Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:16.809{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DB44-6152-2B28-00000000FD01}5860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001381808Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:16.810{5EBD8912-DB44-6152-2B28-00000000FD01}5860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001381807Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:15.165{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51288-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001381806Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:16.525{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94312FAEB5761B0F70E0005502D57B45,SHA256=E729C6FC0EAAD993992354587CDABDE60561965FFD19825D7D88E03ECAB9EF08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287991Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:17.986{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C5F7E709A4869D8AE87688109C1F648,SHA256=554499CA9DA691C94B3BCDA7B92460C27BEF0F66BACF54ECE912FC6DB057DD7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381828Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:17.810{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CE6CFB468B43DFFB0E83138DBAC15BA4,SHA256=5B28153FBA0880A2AE171FA03E59537B7BA3B7534869827BE9B3EC8DD7942778,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001381827Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:17.709{5EBD8912-DB45-6152-2C28-00000000FD01}44444716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001381826Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:17.578{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB0C0936CE8235D9E3A8BB185896066C,SHA256=A2A0FE3CB26812E88580C67AEA12BAA49C88808744F78F5C53AD8EBE4ECE301B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001381825Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:17.494{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DB45-6152-2C28-00000000FD01}4444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381824Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:17.494{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381823Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:17.494{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381822Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:17.494{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381821Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:17.494{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381820Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:17.494{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-DB45-6152-2C28-00000000FD01}4444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001381819Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:17.494{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DB45-6152-2C28-00000000FD01}4444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001381818Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:17.495{5EBD8912-DB45-6152-2C28-00000000FD01}4444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001381817Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:17.272{5EBD8912-8CBF-6151-0D00-00000000FD01}900588C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381816Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:17.025{5EBD8912-DB44-6152-2B28-00000000FD01}58601392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001381829Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:18.641{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E3407A54C3DDCD407D25DE7F0144363,SHA256=812212C0D449ABFC342E012BF15D50E9C6C102030B6D819D01A03DE2CE604C9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381830Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:19.655{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6063800D62C32CA5ED18384FCC5BA52,SHA256=149BE08D5708BB371B5BBF5FC1EBC8684CB47D36AA5F33D7682B5EA826A2BB06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287992Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:19.204{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83F9A6195BB461F3857B7FEEFEFE6539,SHA256=648B8573B980577621BF215F6281BF80C16B38FFE8819A842A4B72513292C64E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287993Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:20.267{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=885B0F4EDC0990F82866A08D57028CDA,SHA256=375E7DB8429BC8291C0AA4F99336990E0062D44C9479E10DF48EE81A24F0092A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381842Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:20.676{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=089CC0DB89ABC966355B592DCDE226A4,SHA256=E2AD25F469D6DC1967C84952CBDFD9B4297CFC897C6A14C2F93FD09CD88D6133,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001381841Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:20.292{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1500-00000000FD01}1256C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381840Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:20.292{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1500-00000000FD01}1256C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381839Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:20.292{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1500-00000000FD01}1256C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381838Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:20.108{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DB48-6152-2D28-00000000FD01}4844C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381837Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:20.108{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381836Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:20.108{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381835Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:20.108{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381834Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:20.108{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381833Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:20.108{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-DB48-6152-2D28-00000000FD01}4844C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001381832Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:20.108{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DB48-6152-2D28-00000000FD01}4844C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001381831Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:20.109{5EBD8912-DB48-6152-2D28-00000000FD01}4844C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001381845Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:21.130{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51289-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001381844Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:21.707{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A5FE253AF4F369E15FD796917F7F294,SHA256=A799259CECE416570BE8C098F9F2B384D418B345A654104126119B6BAE1584BF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287995Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:17.446{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61549-false10.0.1.12-8000- 23542300x80000000000000001287994Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:21.298{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C17D8157874DFF60D0BB99D51C7A4E2,SHA256=0B410EB8565D3D47F29E7CC1B17CA82E162EE9CE3A127C89D4C57A9FB7CA37A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381843Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:21.123{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F79CD5FBEA6D86719CFDD76B890BFE59,SHA256=2B3B22818D8763E8B42B6D72D0B9C0CAD0A6917569D2418A701B1F0E241A2237,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381846Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:22.721{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FA811A07AFD701C9C14021A14FD685A,SHA256=A88F4947C48FB29C27072E7A663F46B117EDEFE9B003CA1EEBB5392AFEE27AC7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001288009Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:22.595{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DB4A-6152-24A1-00000000FD01}588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288008Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:22.595{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-DB4A-6152-24A1-00000000FD01}588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001288007Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:22.595{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DB4A-6152-24A1-00000000FD01}588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288006Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:22.595{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288005Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:22.595{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288004Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:22.595{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288003Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:22.595{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288002Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:22.595{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288001Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:22.595{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288000Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:22.595{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287999Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:22.595{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287998Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:22.595{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001287997Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:22.580{69CF5F33-DB4A-6152-24A1-00000000FD01}588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001287996Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:22.314{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1450ED2455A04C84F90E28B685CE3354,SHA256=963E69A6CF4B50707D2BA859D08D62FD72412AB1F06696F5CA0E82D9323F421E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381847Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:23.736{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21F3187A50ABBB89929618A3D8632534,SHA256=84D8D37EF5A69A830CC84C1AA81B0B6CCDD4D4521E03830DFF843D14264F17D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288012Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:23.673{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FF898ADD7AB672F8B3CD92EB494B7AAD,SHA256=6E54C746BF6E2412D47549EE38C141EE7599DBFDBA867E1F7FC43EC50A2791D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288011Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:23.673{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C7F11C762732B5C80011D90C4BF07FD4,SHA256=0B2B53490F9E9F5EEC9092BEBEB1C2033A4CEB968BE38D169EB99DB738203DCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288010Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:23.329{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D81995DBA9781395444EED89E21A19FD,SHA256=36E144403010237D11A609A1447AC1769D0C2977A0A032FEBFFBCF8101FF811F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381848Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:24.769{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7327C9C16C37D40221C8583D5A4DA90,SHA256=FF3C513275D969F3C300D7B83BDC90C047E3AA5483B177FEFB4FCAC04F6EBAB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288013Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:24.329{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15EF2A38CB52E09E5ECB59E9247F8978,SHA256=ED7CB06CC3603A9F8A36CDC780DE7CE2B6BEE71F1211F8E5CCC5F34437035DE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381849Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:25.803{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81FAA37E40E9EE8196F49DD362F2BCE3,SHA256=7A5FAE761233012BA98A191C18A7346FA515871A1B04F20C19C3EFC1BC676215,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288015Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:22.478{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61550-false10.0.1.12-8000- 23542300x80000000000000001288014Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:25.346{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2EAE7E80904975749489A2A25EC82A1,SHA256=69A16A11C7053DED7935FBB58580C7E65FB3256F44C9EDACFCE459ACDF2E89AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381850Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:26.834{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F1D07D3A578ACC5755E82DA3633ABF1,SHA256=685383D974BB846BF1FD9398364CF3038D034BF9C332B966DC5D9F590A342FD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288016Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:26.360{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66B625E025C83FCB448DC16F4A24FE1A,SHA256=7A55695F8A1C07A22F295B46D54A2608AFEEE335F56CFC70533F8A3B9390B02B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381852Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:27.056{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51290-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001381851Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:27.867{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BEFCC7FD4F9ECA1C310509E2EA1D1C6,SHA256=10248E9A9FF5BF179F02066B9B6F19F7E75D1E7B3B8FD72FA619EDC23A7DDB00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288017Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:27.376{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDDE5B5A740BFD4FB2FB716F9EFE4633,SHA256=FDC5BDEC3ECF3DAC11F754A9401D754132752DEC09E9F91D5FA366F880D18C8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381853Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:28.901{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=886600AE29CB75C72FDC5DA3EFC20EEE,SHA256=81E237698D0191A6BF03B2DFCE7B38E6A3911605A53F80971B78486028BFB624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288018Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:28.376{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68DEBBE9E37A350BE544ABF78849B475,SHA256=F4207D8B1E5E32FD3BB96FF6F7902D6F878E472C85BA785895D19388F8088B5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381854Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:29.947{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E672F23ACF944BBCE091C21AF3C41034,SHA256=094B37C6DBE6304DC10765C1023ED39989200263D51FBB31768CF1E6F57109B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288019Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:29.392{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FD0E63AB8E17678B0539F7AAD4B331D,SHA256=8160D3173765C1EFF63E236F414B3B960862254E27E391DE833FFE04085211A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381855Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:30.963{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCF1F9DC5F6CF47C20977F2494E729F5,SHA256=0EC10F2A8DF5803215C05E13E3040FA2340B91C3C8FB3714DC109299F343E770,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288021Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:27.509{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61551-false10.0.1.12-8000- 23542300x80000000000000001288020Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:30.407{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31DBEA86E06ED471F5F5ED2E1C1D0089,SHA256=09F920A3E809F539DBE55954A354386018AB406854B9D48304E6E92EBA7EE2DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381856Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:31.983{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A876DF7897A211F961E61D6B9513727,SHA256=540315A5E2D685DBD6447F2EBDE771DD82A97DEAEDB7BB8B74D542EC24801175,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288022Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:31.423{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=259FD97EA34FE9A669B3974F7E2F5426,SHA256=D4F2C62FBF733DD7AB682DAAEA6C84D2281E9DE86B91CEE755352CFDDDA44E47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288023Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:32.439{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22D02B8E348CFCDC941C214903F50F85,SHA256=F825B7AA0450671A886079EFC8CB845A86E558161A38DDFA260A0C69D544CC15,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381857Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:32.236{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51291-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001288024Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:33.454{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4B34AD25F3311F60A8055332ABA23CB,SHA256=7C1457DC8B45C7FC242436F13EBB219A9D70A82F764C6665F9DA3CED1C792517,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381858Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:32.998{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BD65B51A74C3813447E97F5EF29F1C6,SHA256=0053B442D6222FA0BBFAB21265A536255CE119745646588709C104C6DDED0DBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288025Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:34.470{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8618C04B3CD68DB543D5D207A857ABA,SHA256=18E1E54F5AEC8C484F87CE0349565902AC91D2C871969B18B1A103BD70DDC633,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381859Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:34.012{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5891C8A9D9D03A89257E582E36C5AD84,SHA256=82E8F9080F5C41CA5A4D84D0077238597AE7FECC7E922D1F8F5C2DB1DB8D7320,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288026Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:35.486{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E971386F3383927471AF3A8E40D3A841,SHA256=6504E6C766890B5F736A3D3CDC1D05A56B09B0E7FA9382C40736DD3D5EBE545A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381860Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:35.013{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=422E6A99341E1781518AE84F6A9207CC,SHA256=C982CCF4ADDE4DCC7BB0416222E4D9A624E6BEAAE84AEBDCE2C06F26C4235EBE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288028Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:33.478{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61552-false10.0.1.12-8000- 23542300x80000000000000001288027Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:36.486{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D845F44EB97788D05C338E1E8944952,SHA256=01B62F814C258B8E7462A402E90FDD24EE2F9B976F68C13333020C5CF8267C36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381861Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:36.028{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C82434075A6B004897817B7511903DD,SHA256=622B14ECEFC02F1C5D7A740F4EC4862B5F94AD0DEB4AD507C4BFD8E8A4DF9C58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288029Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:37.488{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9896F57EF4271AF97F65D824A73F01BC,SHA256=8D5460F35AD5696C1BE7DF067EAB0F5B1C0692BA7DEAE401D8D7A2088777569E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381862Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:37.043{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6617F3FF7B399194CEF768E68A5AFBB9,SHA256=A6CDC4DFEB61E1E0608A81843F946E87EE4C5496769B67C74CC55851DDEC2E0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288030Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:38.503{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AA9AB70C4392D27C5360E5DFF0BF1E7,SHA256=D38B6EC9B67C205BB7DBD822B797DF663845DB63E746E1F3B9F80B9C90B0A046,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381863Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:38.060{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCAD63C078EC70CBE7A19DB19B162914,SHA256=B854A243D4522EE6973CC5B96095D24B79380B4047B4E12A2933F5C093C0AF2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288031Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:39.519{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26787BAD2E33C64E836898CBB51BF386,SHA256=47F9B8FF0BD2D6022B578377D7F7C3A8A6AE6BF4489DE34A89B70EAE88B6B28E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381865Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:38.219{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51292-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001381864Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:39.082{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BB8EC67F13E6A6F623F3A748FC5BFDB,SHA256=D2019F8FDF4E87E1A236C65CB5FE17E4F0A561E760E907CA741071DA92C370D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288032Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:40.535{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4261C1E6520D4ADD5A8E81AA73D4C566,SHA256=1F6CE7CA5DE4E231F945197DD4F153395853DA8E0ECBBDC9F9E265729C985DEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381866Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:40.128{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDE814E92B3DE56F0DE012C13B7AB3D0,SHA256=97C3EBE2CC160B56CF1D9FF74B5A214E6D8CB0FD3C0C7834AFBA17700E92B92C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288033Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:41.550{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51D8E9932CF2E363396C242C2CCC3E7B,SHA256=E67B9E1E2C47EED03C51E3AEEE2A6E32E0855200AB9ADED755D5A0F4F07BE7D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381867Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:41.164{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEF9470D85CB26B8E73842515C3138BD,SHA256=280BD302BAF097BA5794733656C24E32B63EA5BB773751624D4400A716589373,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288034Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:42.675{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21132A5253F29D40FF3C28638A194180,SHA256=EF5670D5BA0D1E2AC2EA01741DDE82A971803274616E8CD47BA0AD3BE93484A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381868Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:42.181{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FCDF87CBEE0F9A0CF9E49BDA6144D10,SHA256=23BB755794EDDEE6522429279F61C13124B8E6D796F58C0F231BE59A6B4710E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288036Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:43.722{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BCEB42F64305D211E4D3393FEA12225,SHA256=7499AF9654DE489A8832E697974378A62405EC39F8981115B24AD9F998642D2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381871Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:43.182{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85967616FDB4F9FA09F446816D5DEBCC,SHA256=66EFAEF654FB2E0AAA320DE080DE56D404436D5D6A0AC6F9774714985C1E045C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288035Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:39.449{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61553-false10.0.1.12-8000- 23542300x80000000000000001381870Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:43.045{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=06CBEE768CD7A149493C19301D0378A4,SHA256=95D7B3776C263FFC96055051644AE392B9B49417450B76DE329360937BD64D0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381869Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:43.045{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C83FEABBBBA36EBD7AB513E5EEED9C5D,SHA256=A2995657CF83A1C8DB0048B466A321BF0F6CB88BDBC1F97934EAD7B24A6AD271,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288038Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:44.956{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33FD587A5483C7ECD1AA6B701F0042C3,SHA256=50226DDC85713DD060664F5DBFDEA741B3ED034A36E13C3BD172F6771DC659F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381874Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:44.196{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A998E6041C81ACA862E69FE402F2B956,SHA256=C65AA948849BC637A1CD1D3D66C05F952C9682754F77269ADAC47B352DC5FD6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288037Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:44.222{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=66701A78DF74C2E1BE5FB54419922FEA,SHA256=3CE41F4D962D6388B40714F951FB200C3E1AB6D26B2B709D84CCD47BF8ACB893,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381873Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:42.973{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local51293-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001381872Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:42.973{5EBD8912-8CD0-6151-2800-00000000FD01}2200C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local51293-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 23542300x80000000000000001381876Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:45.211{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D30F7433404868D6CDCF75CF1F478AB,SHA256=552520E02CCCB38FBF824612052258A6463AAEBE0BA2F1B3EEF05F0D2AF521E8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381875Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:44.155{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51294-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001381877Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:46.280{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C11F8201A6A7FFEBF112557F788F6A7E,SHA256=A4D6B710C3FD7AA5B2F7B2207B42143121E146CCF6FE79F37BA73483F66A8BB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288040Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:46.941{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288039Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:46.066{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04C3465CDA2D4D84AA77767DC5B61C1B,SHA256=8623D4498AEBDDE061C6236EA4FA507DE501246F5A4928117257F233EEE545A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288041Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:47.081{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9551E1104A6E9F6F72773A1BA0C6549A,SHA256=709F6B15B7AE5FF9188C26F774B2AD6DB468ADDABCAD02AC9079C56442D5D0D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381879Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:47.462{5EBD8912-8CD0-6151-3000-00000000FD01}1956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381878Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:47.310{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9A9E53149EA6F4D2CCA28EAF2F0C5C0,SHA256=8398441D9A9E0C305A8F5BB0A02E067AA5DFE7842F0C098EA8332E27A068D254,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381880Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:48.324{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A255F0819AD09146D064EF4B7111FC8C,SHA256=725D68849B149217A36B744D360E995110B620C8F7E1012BDB8D5CF4B831D826,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288044Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:48.804{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-5708MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288043Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:45.277{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61554-false10.0.1.12-8089- 23542300x80000000000000001288042Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:48.097{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A5564AE3122C34259A8FCE52784465F,SHA256=F17F4E652B6E871F65C39B1D7CF0E090BF86192991EF052A91558ED34A38A3D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381882Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:49.339{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8703B9A39B2B6E1FD7AA342E25B75032,SHA256=D6ED424426271FC57F60D5CBE408456185C26168423ACCC46CA5DC3CECBDE380,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288047Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:49.819{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-5709MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288046Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:45.449{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61555-false10.0.1.12-8000- 23542300x80000000000000001288045Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:49.114{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FFA4462EB7FE373F6DFEDBCB6C350B4,SHA256=B585E912BFF5B3F26209CAA4FD840888D15D0656607FF7469F802C618282476C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381881Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:48.448{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51295-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001381885Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:50.977{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E26099B1C4055258058C5EED5DF7A2BF,SHA256=6B0A99DEF9DE0715FF997E9D6D3A14DF02C7826238BFB06FC08AB1DFC918CC86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381884Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:50.977{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=06CBEE768CD7A149493C19301D0378A4,SHA256=95D7B3776C263FFC96055051644AE392B9B49417450B76DE329360937BD64D0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381883Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:50.357{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90FDBFE3E3DA73979A47530FA79E9137,SHA256=E6E546246CDBADE9339D7FB2FA0D9BD36C7F47DEB331D31AB9D3955FABD1BB27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288048Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:50.129{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACEF5D1AA2B57EEA71E38975A5C113FE,SHA256=346776CD9F30DF5D82B6EFEF58EFBCB5CD0A18EB1FC223D07E0789271BAC36A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288049Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:51.350{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CBE1A406CFADB10AB3A66F99AC0EF38,SHA256=27F608E3BD7704A3EB338884F3B49ACCFC287C1F64BE4E15B344BEC52F0DD57B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381889Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:51.826{5EBD8912-8CD0-6151-2F00-00000000FD01}2544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210927092018-1391MD5=418358CD28D1B50422280074BE968B1D,SHA256=C8286C1C0A91E4E2C2FF9D12E0FDD08F235EAD61265C1678C815B6AB5A1254BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381888Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:51.408{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9251AA786606CB88B66282BF00A78D6,SHA256=6AFD46C2FEBDEEF63A566E5E70A896339F591909A225CAAA96635AD89C0AF264,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381887Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:50.815{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse2.57.122.204-3779-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381886Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:50.131{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51296-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001288050Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:52.350{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0F06401FD73152A617D5C8B11E31EB3,SHA256=3B36EAA316C8BDF7B092D928FFCE829412D89AB37243D26D4488792EF5D8CAC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381891Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:52.839{5EBD8912-8CD0-6151-2F00-00000000FD01}2544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210927092016-1392MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381890Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:52.424{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84FA08A6C11D561BCC50FA859AC186F2,SHA256=CF3358A6908F0A28D62CD1542208C453A1DD32922E481BD0B57CBECE09E76DF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288051Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:53.538{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A73E24C20023C14AD4526CF7FAF982F1,SHA256=A8C8EDB92292E8DE7BA179340B1B27865F9FC94B877CFF54A73EB29F3257D422,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381892Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:53.439{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A1F9FDAC86480DB4E13AD694C8C24BC,SHA256=20DC5F44F14B7EFAC92D62EC20B3D237BB7688BE633401D63C2AB1BC22A2661C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288052Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:54.554{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1F79DABD8F8FF260546B88A3654137C,SHA256=8BAB2676BBC2230F25B8A708188950AB8CB24FCA70696D28A23255011B00B083,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001381896Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:07:54.559{5EBD8912-8CD0-6151-2E00-00000000FD01}2384C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\8EFF07E0-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_8EFF07E0-0000-0000-0000-100000000000.XML 13241300x80000000000000001381895Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:07:54.559{5EBD8912-8CD0-6151-2E00-00000000FD01}2384C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\C073BBA9-345E-4F58-AADF-98D983B75502\Config SourceDWORD (0x00000001) 13241300x80000000000000001381894Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:07:54.559{5EBD8912-8CD0-6151-2E00-00000000FD01}2384C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\C073BBA9-345E-4F58-AADF-98D983B75502\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_C073BBA9-345E-4F58-AADF-98D983B75502.XML 23542300x80000000000000001381893Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:54.475{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4222C7EBA0776A71CC7F8BD99DCA4EFA,SHA256=B28390F2F50DDE2DA6303F47E153363132DA42EFF84F392883A7FA61EF62267E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288054Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:51.452{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61556-false10.0.1.12-8000- 23542300x80000000000000001288053Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:55.554{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42F96947F6C8661438C3F0859B9982D4,SHA256=F4C9E63E65FB1EF775CE47FEAD72F783463EF3662DA52DABB862CB3A27EEF3FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381898Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:55.590{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E26099B1C4055258058C5EED5DF7A2BF,SHA256=6B0A99DEF9DE0715FF997E9D6D3A14DF02C7826238BFB06FC08AB1DFC918CC86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381897Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:55.490{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F64E6C031138785C74170331DB25C3F0,SHA256=4B994CA54515DD0F4261D4747F8D8A4FBA5D10188CAE87065905101B63851AE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381900Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:56.704{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=81D4BEC2F3123F9A6C591B83870341F7,SHA256=66755E4D5FF80D09737A0AD479B28BE89E474E8E152DB59345F647717A5CCB8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381899Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:56.504{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06AA89C3F24EEA6EBC53842D0188E6EA,SHA256=8EC98A6A6B28C9D49E39B2FA7501EB286C89267B5C7C1B9A451BFEF1BE035099,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288055Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:56.569{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=531D51A3815C3A8D4CA76BE4705EC0FB,SHA256=5B8B1709F0A8D0C41608B2FD9DDBB015A62F744C5558DF9EF4ED1B92FE278463,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381909Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:57.510{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F7FF8F9CC31FC6339705B89C5BADF3C,SHA256=4F3916ADB326F681626DEA331E9F029C584CEC4A591EF1E9BFCC0DCFE3B3985B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288056Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:57.570{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88565A0D4A23AAEF8CB8F4C90F38E91C,SHA256=4E39181C77AEE004747513380180F214B867E794D98233C3CFCDD0747B33816C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381908Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:56.128{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51300-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001381907Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:55.754{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com42082-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381906Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:55.573{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local51299-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001381905Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:55.573{5EBD8912-8CD0-6151-2E00-00000000FD01}2384C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local51299-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001381904Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:55.564{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local51298-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001381903Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:55.564{5EBD8912-8CD0-6151-2E00-00000000FD01}2384C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local51298-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001381902Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:55.547{5EBD8912-8CBF-6151-0D00-00000000FD01}900C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local51297-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 354300x80000000000000001381901Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:55.547{5EBD8912-8CD0-6151-2E00-00000000FD01}2384C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local51297-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 23542300x80000000000000001288057Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:58.585{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B9A7EAC4EA7F8A781E2E55EC770A1EB,SHA256=CA0F37271946E11166DFAC56B79D51581A81FF09B5CCB4F97A96584ECB3FBBD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381910Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:58.519{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C86761062FE4B7852D48E3E22E6BB903,SHA256=F3D5DAB2AE7623775AD854AB83084949C0A8D76E61156105C3446F56C057AE3E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288059Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:56.484{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61557-false10.0.1.12-8000- 23542300x80000000000000001288058Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:59.757{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CF2EC529B093946A434EA78FAFEC447,SHA256=6A02BD1B8E7A0432F82658AD92455C1E1868003A6A34B90B1C0879FC41FCD127,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381911Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:59.534{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C8D35077D88740D4BED236CACAA87E0,SHA256=985D5658D2D55DC51DDAEFB2AB1CDA6888243ADF2421EC30F8BBC5527E155450,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288060Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:00.992{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F58AABD7058A66ADA34FA59072F1705,SHA256=43591D61B56CC322061DE0F7C6E0A4C5A3395D8273374C36A492F9C61D491054,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381913Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:59.670{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse103.24.1.102-50943-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381912Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:00.570{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6463249C7BEB084FFE28DD856399FF8,SHA256=B36368E16E40671E5D40B4C552E471B5EC43F9CAD3F53C10B15F279F8833ABA8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381915Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:01.140{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51301-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001381914Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:01.601{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22FAE4670F2F34A812BCE96F833203FA,SHA256=746E1A34B685984203C95213CDE4CCEAD745AD1062F4C88BEB79D37405EC9D52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381916Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:02.601{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32351FBC30A379795F9067151A3FF760,SHA256=B1403C3FF8095019D0E2AE5510920910A327A037EC41948817335249C4B9C4AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288061Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:02.119{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51C49682739CF52A83C1A8C77B9DD289,SHA256=675D55020BB4286CDCB57DF2BB8030BF62DF74F38E4C1DAB99A6D9EA194371D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381917Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:03.616{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62FECEE2757F0C04C73AA4F4ADAD24C2,SHA256=BD6B1B87CEA160FF9BCF623921C9F7A2DA15FFB33AC348F74721B1072069A5E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288065Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:00.355{69CF5F33-7F2B-614D-3800-00000000FD01}2628C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61560-false169.254.169.254-80http 354300x80000000000000001288064Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:00.314{69CF5F33-7F2B-614D-3800-00000000FD01}2628C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61559-false169.254.169.254-80http 354300x80000000000000001288063Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:00.313{69CF5F33-7F2B-614D-3800-00000000FD01}2628C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61558-false169.254.169.254-80http 23542300x80000000000000001288062Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:03.135{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC598A03A79AFA0FAE474D98172E7F95,SHA256=07D1D4C4DC687DDCE3A4756DC8ADAFE25412828C0F532966A928BBA1C2C74C1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381922Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:04.617{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9947952024E9E28C48F5FD77E9B2A145,SHA256=7EF15B7CDF9EE4CE5866D1DC3D190506AAFE177F3BCA825D5752CCC27FF6C379,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288067Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:00.468{69CF5F33-7F2B-614D-3800-00000000FD01}2628C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61561-false169.254.169.254-80http 23542300x80000000000000001288066Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:04.151{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F692AD53CE2E877A3EC070EB39EA27F,SHA256=E3FDF01C4E7FC09F9FD2287A53FF9135E1758DA6631F706BAC3B7F21446A87C5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381921Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:04.247{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-53292-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381920Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:04.208{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-53144-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381919Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:04.351{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=059F65278D1952748CA44674D37E99D9,SHA256=7C21F40D8B0530CA1E34C7D2DE393FE1AA07E514973F4E7D67CDE7FB404B3346,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381918Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:04.350{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=93A92E469041F33D8AD2B50D00BE48AC,SHA256=63DA749627A131560119DFD46F91A489994323C23CDC5DBE4CE59FB45A267453,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381924Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:05.632{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FB2AE973CE6C269F98C2CBCF319244F,SHA256=0F8C78D37A0C8838C2549285DC568F4C85C006C9885C08D2CB8AD7B39906F4AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288068Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:05.369{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45A9E16E1527AB8FD6EB56880B810B3E,SHA256=BEA7EDB278FD39B472B9A0D6C89931F24DD8D4D497A8E2391688229C4677064D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381923Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:05.501{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=059F65278D1952748CA44674D37E99D9,SHA256=7C21F40D8B0530CA1E34C7D2DE393FE1AA07E514973F4E7D67CDE7FB404B3346,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381928Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:06.700{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BE56FFD88414025E64A7FFB17C18DF4,SHA256=5371A0649435EE01B26F0F0B669366A15CA2D9D185854339A04DA676F16E4F1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288070Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:06.604{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31590CCE25529D6CA72AA24E83FF2CD6,SHA256=785EABC39045DEDE49E21F21A0AC205F0584887BF232FCDFF4EB1B11A7356D19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381927Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:06.631{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E432570F5D03F24C691D98F60D126826,SHA256=378536A2677BFA1B5274672E51560AB5CF0A290DB3EEBE4ECE70C6F699E800C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381926Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:06.193{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51302-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001381925Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:05.379{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-58998-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001288069Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:02.424{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61562-false10.0.1.12-8000- 23542300x80000000000000001381931Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:07.930{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=759E203295BD97274383594BDEC4D389,SHA256=39D702C68AFE2AF370646465B220506C07574A47B8076EC30399A1AE0F48B9F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381930Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:07.730{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0966F1F89F7D05C1EB6B515B10AE5E88,SHA256=595DD3DD29D4DC7D62B94D5C86101EA37987F0CA04AABE462EF8665A6E900EEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288071Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:07.604{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9C09000C3C65CC6837CF965C7E357F2,SHA256=C2CC4A2C7733E90731B45B21CA8582989D1846FAC2C3268D4B98C2B4F6DCAD5D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381929Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:06.518{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-5846-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001288072Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:08.682{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57FED2BCC99A9EF7FBFD6F0173B7EFA4,SHA256=74BBA633BDD7249AC22152C19C74CCABA94DBF5C28E4BADFE2C28C45E9E8ED68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381933Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:08.748{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C297E31160A036792E1F6E0DD11D87B2,SHA256=494A0B5C2C8A34B73879494F136AE14DA0E01DD593421176AAFE70B821B48D0A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381932Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:07.850{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-12330-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001288073Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:09.822{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1456F391623ED76BB647104072715F7,SHA256=E6A1FEBAA2E0900AFDBD89E7F0B8391E5501E35D27C9787C8D25FBDB333508C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381935Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:09.766{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42A400D69ADD4845EF3B14EC22289417,SHA256=82A7679200FF9A66A2BBC3030DC02ED97038E02A4FF43F060D63D80BD9F6777A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381934Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:09.066{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D9119FDD11144F7164E3FE40F3E28C92,SHA256=4CBCAED902283DF96FA9316997362FE440C017661B457BABA303376A23788757,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288075Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:10.979{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F276E43F33DD89E57065EA3B9A5C7C0D,SHA256=F6A112015610DEAEEAC7A62173C9F9F0FC499AEF0BC9D22E1E068B490D0C9E84,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001381956Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:10.812{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DB7A-6152-2F28-00000000FD01}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381955Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:10.812{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381954Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:10.812{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381953Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:10.812{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381952Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:10.812{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381951Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:10.812{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-DB7A-6152-2F28-00000000FD01}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001381950Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:10.812{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DB7A-6152-2F28-00000000FD01}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001381949Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:10.813{5EBD8912-DB7A-6152-2F28-00000000FD01}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001381948Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:10.781{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A8FA5694F3B140DD57BF710742E9D52,SHA256=6F08B4AF011DBEB1810D7AC17EDC6438ACBCF43B87B57507058D0545C7BA5494,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288074Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:07.471{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61563-false10.0.1.12-8000- 23542300x80000000000000001381947Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:10.744{5EBD8912-8CC0-6151-1100-00000000FD01}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=D80FD229123D6FD652C2E3C7B200633C,SHA256=69BBF2B5A5FA5CDDD30A1D007E7A9CCC4203D3AB37D65900157F3AFFF341274E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381946Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:10.078{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-23519-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381945Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:08.988{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-17893-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381944Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:10.212{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=499208AA2EEF693FAAFDA98046E66A71,SHA256=C9A26FC3196C7A8F3BABACF8BB2A22667C6A4FD6872F051AFB77AA8937BEA7EA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001381943Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:10.165{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DB7A-6152-2E28-00000000FD01}2144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381942Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:10.165{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381941Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:10.165{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381940Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:10.165{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381939Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:10.165{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381938Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:10.165{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-DB7A-6152-2E28-00000000FD01}2144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001381937Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:10.165{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DB7A-6152-2E28-00000000FD01}2144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001381936Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:10.166{5EBD8912-DB7A-6152-2E28-00000000FD01}2144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001381959Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:11.796{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D8A9734AFEB8FBDA1A59C47D830A116,SHA256=61171B0FA133BEF635105283F94FF260F0ABD5926AD5935009C9E656C5B2D51E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001288089Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:11.635{69CF5F33-DB7B-6152-25A1-00000000FD01}38883500C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288088Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:11.369{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DB7B-6152-25A1-00000000FD01}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288087Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:11.369{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288086Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:11.369{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288085Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:11.369{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288084Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:11.369{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288083Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:11.369{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288082Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:11.369{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288081Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:11.369{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288080Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:11.369{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288079Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:11.369{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288078Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:11.369{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-DB7B-6152-25A1-00000000FD01}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001288077Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:11.369{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DB7B-6152-25A1-00000000FD01}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001288076Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:11.354{69CF5F33-DB7B-6152-25A1-00000000FD01}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001381958Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:11.396{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2052BBDAB69BF7A8D620AAE581F84743,SHA256=9A88B51E52BA1790577C821BBA3F02011AC24664708A451C8FA3B4E760C2B633,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001381957Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:10.996{5EBD8912-DB7A-6152-2F28-00000000FD01}64966404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381972Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:12.864{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DB7C-6152-3028-00000000FD01}2644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381971Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:12.864{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381970Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:12.864{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381969Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:12.864{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381968Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:12.864{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381967Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:12.864{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-DB7C-6152-3028-00000000FD01}2644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001381966Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:12.864{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DB7C-6152-3028-00000000FD01}2644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001381965Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:12.865{5EBD8912-DB7C-6152-3028-00000000FD01}2644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001381964Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:12.826{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=768149FFA2FF213362BFAC24E80C4A4A,SHA256=C0A71EC21821FF5FA7C165CC44A6592E71165D491508A1B8D2EF2294261651EC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001288119Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:12.682{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DB7C-6152-27A1-00000000FD01}2768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288118Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:12.682{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288117Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:12.682{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288116Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:12.682{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288115Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:12.682{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288114Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:12.682{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288113Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:12.682{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288112Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:12.682{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288111Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:12.682{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288110Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:12.682{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288109Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:12.682{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-DB7C-6152-27A1-00000000FD01}2768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001288108Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:12.682{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DB7C-6152-27A1-00000000FD01}2768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001288107Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:12.667{69CF5F33-DB7C-6152-27A1-00000000FD01}2768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001288106Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:12.432{69CF5F33-DB7C-6152-26A1-00000000FD01}25681740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001288105Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:12.400{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B98C812652D682F73BEFEB539688B54F,SHA256=71F9566F78636547B7400580A1163DB54A62E9EFF8C2C907C00AD0936ACA202A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288104Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:12.400{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FF898ADD7AB672F8B3CD92EB494B7AAD,SHA256=6E54C746BF6E2412D47549EE38C141EE7599DBFDBA867E1F7FC43EC50A2791D6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001288103Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:12.072{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DB7C-6152-26A1-00000000FD01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288102Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:12.057{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-DB7C-6152-26A1-00000000FD01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001288101Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:12.072{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288100Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:12.072{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288099Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:12.072{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288098Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:12.072{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288097Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:12.072{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288096Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:12.072{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288095Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:12.072{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288094Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:12.072{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288093Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:12.057{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288092Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:12.057{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DB7C-6152-26A1-00000000FD01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001288091Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:12.042{69CF5F33-DB7C-6152-26A1-00000000FD01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001288090Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:12.026{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F5E6E2B45B5AEF954EB6DF42462F7D8,SHA256=99DFCA509297D08CDA4CA2AAAA7CA006354199E7E715D9E37B999FDDC3E90EB9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381963Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:12.407{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-34479-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381962Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:12.134{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51303-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001381961Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:11.261{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-29178-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381960Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:12.495{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A393FE5F7D410A656DCFC0BE2E76634E,SHA256=B75AB7969D2AE07524F5EAFBA5BAFD141EC2FC174439E16095E280C585046DDF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381986Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:13.507{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-39900-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381985Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:12.775{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-41733-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381984Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:12.750{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-41654-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381983Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:13.827{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C02A6A57894DC0743903C0A85C3A0B0D,SHA256=220E892FD8A8594D0B181833CDBE99210807D877460E15439952E1836E2C6584,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288135Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:13.682{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B98C812652D682F73BEFEB539688B54F,SHA256=71F9566F78636547B7400580A1163DB54A62E9EFF8C2C907C00AD0936ACA202A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001288134Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:13.588{69CF5F33-DB7D-6152-28A1-00000000FD01}3440996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288133Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:13.369{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DB7D-6152-28A1-00000000FD01}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288132Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:13.369{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288131Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:13.369{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288130Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:13.369{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288129Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:13.369{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288128Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:13.369{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288127Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:13.369{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288126Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:13.369{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288125Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:13.369{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-DB7D-6152-28A1-00000000FD01}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001288124Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:13.369{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288123Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:13.354{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288122Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:13.354{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DB7D-6152-28A1-00000000FD01}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001288121Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:13.354{69CF5F33-DB7D-6152-28A1-00000000FD01}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001288120Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:13.166{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEBE3B207FCB3A62416D3509B3B81AB4,SHA256=53CEB3CB748A602B9249AD751AC20EAC47F9C9E7BB1C244D646F2CD90D9005DE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001381982Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:13.711{5EBD8912-DB7D-6152-3128-00000000FD01}57287132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001381981Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:13.564{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C9B3464B3081FAB23D6A180773853FB7,SHA256=BC9227FF838EE8414D9333FFBEA14F286663823B6523A434C42E75EE02F3A6C2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001381980Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:13.549{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DB7D-6152-3128-00000000FD01}5728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381979Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:13.549{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381978Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:13.549{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381977Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:13.549{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381976Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:13.549{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381975Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:13.549{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-DB7D-6152-3128-00000000FD01}5728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001381974Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:13.549{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DB7D-6152-3128-00000000FD01}5728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001381973Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:13.543{5EBD8912-DB7D-6152-3128-00000000FD01}5728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001381989Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:14.978{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9EAEF19B188DA272245AA9B53F55EF1B,SHA256=1026CB5017C576F33CACCD8145BEC145B22E568727D4F2F127B36BE2A123AB57,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381988Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:13.868{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-46240-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381987Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:14.845{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FE6B68D5EFB9729E3C3903D8D7F5684,SHA256=CA92B7C3C898085B462CB694E2E4544BF562813258E35E73B46ED4A6919C75AD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001288163Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:14.916{69CF5F33-DB7E-6152-2AA1-00000000FD01}37282660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288162Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:14.760{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DB7E-6152-2AA1-00000000FD01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288161Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:14.744{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288160Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:14.744{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288159Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:14.744{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288158Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:14.744{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288157Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:14.744{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-DB7E-6152-2AA1-00000000FD01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001288156Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:14.744{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288155Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:14.744{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288154Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:14.744{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288153Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:14.744{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288152Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:14.744{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288151Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:14.744{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DB7E-6152-2AA1-00000000FD01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001288150Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:14.729{69CF5F33-DB7E-6152-2AA1-00000000FD01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001288149Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:14.416{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A49FB25C5219AF17CF90B03CE0B8DB5,SHA256=8FB75AD7DAF9575176E04AF24BF99E32C8A7AEF5BC692C63E3C78F90FF4BB3FF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001288148Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:14.057{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DB7E-6152-29A1-00000000FD01}1044C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288147Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:14.057{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288146Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:14.057{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288145Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:14.057{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288144Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:14.057{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288143Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:14.057{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288142Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:14.057{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288141Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:14.057{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288140Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:14.057{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288139Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:14.057{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288138Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:14.057{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-DB7E-6152-29A1-00000000FD01}1044C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001288137Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:14.057{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DB7E-6152-29A1-00000000FD01}1044C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001288136Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:14.042{69CF5F33-DB7E-6152-29A1-00000000FD01}1044C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001381992Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:14.976{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-50733-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381991Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:14.632{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-45551-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381990Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:15.893{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BA12662B62A30FED39E87E9BDF493B7,SHA256=4E3A4BC7C935B2B9A5DADBA698AD001F911EB23F86D1B596362FBC52E0441D71,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288166Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:12.486{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61564-false10.0.1.12-8000- 23542300x80000000000000001288165Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:15.510{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=550C661094103F74CDD15E7C15627C7D,SHA256=5362F74628E619725AD87F52115CE67935437DE5C05FC1A0609F93C5376CA399,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288164Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:15.072{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=48F96B6D3D8BDE0902A24D30B9CA332F,SHA256=18417ADF6C824048EB749C14299D0C20A3061BF20B203F3D034D49179E8F51DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382004Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:16.946{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A2EB4863A04EB3A223A0F9B3B9F9A38,SHA256=B86AD3D5036E8CD12142CB75A2E3563B1780479DBD4176E6D31F4277506D5D4F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382003Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:16.052{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-54865-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382002Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:16.011{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-52131-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001288167Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:16.619{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A86073350B24316FCBDB28CF2989AEBB,SHA256=E180329D371EBD68795CC423D9716E7CFB036E99BE30A20B85821655D97B3DF8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001382001Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:16.842{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DB80-6152-3228-00000000FD01}6824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382000Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:16.824{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381999Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:16.824{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381998Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:16.824{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381997Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:16.824{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381996Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:16.824{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-DB80-6152-3228-00000000FD01}6824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001381995Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:16.824{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DB80-6152-3228-00000000FD01}6824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001381994Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:16.825{5EBD8912-DB80-6152-3228-00000000FD01}6824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001381993Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:16.124{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DEBD2E407053D0C0C386739EE18A72B6,SHA256=B97843790157F0124CA306F50C83AB67A62B02B1CAFF8102799C0F2A18D7AB33,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382019Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:17.168{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51304-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001382018Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:17.149{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-57848-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382017Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:17.149{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-59324-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001382016Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:17.951{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C560A45EC011C0D888ABC4D49C8A8C69,SHA256=B2B390429D13484D4317A90155996EE3AA06D100DDB7A7C9F4F4CF1469ED8372,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288168Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:17.622{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=982F4AADC6510BC407C42D1B3FDAA09C,SHA256=EA8EC42F97BAC921EA9D8139D6C155FF2322178678627085D07CF2322254BAEB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001382015Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:17.540{5EBD8912-DB81-6152-3328-00000000FD01}46286284C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382014Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:17.347{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DB81-6152-3328-00000000FD01}4628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382013Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:17.347{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382012Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:17.347{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382011Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:17.347{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382010Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:17.347{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382009Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:17.347{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-DB81-6152-3328-00000000FD01}4628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001382008Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:17.347{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DB81-6152-3328-00000000FD01}4628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001382007Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:17.343{5EBD8912-DB81-6152-3328-00000000FD01}4628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001382006Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:17.245{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0AF0E14FE7963B53194D93A7BDC260C6,SHA256=3D66A11AB0781430D3102A5BEDBB02F59107A4DFF51B4FBDCA03E3AE220341F6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001382005Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:17.110{5EBD8912-DB80-6152-3228-00000000FD01}68246812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001288169Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:18.622{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF233B736363723BD093DD63860044AA,SHA256=4792E57E1AE5ED0E8D98DDBE27C1DE994C33A4485B242B98E3A61AA225CC1827,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382021Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:18.253{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-4728-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001382020Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:18.330{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=76720B28678C57E0E03BE224931A1B4B,SHA256=D560C91C8C94DB8607947F7654AF2496F0BE1CCA366D424874155EE87253C594,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288170Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:19.637{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EDA00E2DE84EFED017AE83D994071F0,SHA256=A1D9E8C2054A36D584FBB35E30A3A1ECF1A7C04E7EFEFFA99069C7ED756DD925,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382025Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:19.342{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-8970-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382024Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:18.401{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-4860-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001382023Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:19.414{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=69DABD9BFF0D002399EABD970D0F5F72,SHA256=C7E478B2CD1497FC4F8A83ABABA92A1033F18DCC494C41950D5E9338D2291429,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382022Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:18.999{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CC348936DB66D4CBEC21022CDC1BCDD,SHA256=9969CE400B8B04B10CE72C3C76F4057DDECF78AA1143FE69E1D6821D950FD954,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288172Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:17.520{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61565-false10.0.1.12-8000- 23542300x80000000000000001288171Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:20.653{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D17BB567F446F6A47A084DD2A67306FC,SHA256=7CE5EAF7875621CED657FE8D5E2629AA9E8C3174DBB1A4DE8BE31066C79912CB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382036Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:19.811{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-11719-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001382035Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:20.515{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6D912517FF9F24BFB2B95555751967E6,SHA256=48F47AE1D468ACC34817C7085724AA93C1739823B080A52A6E3FD50D83C2186A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001382034Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:20.130{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DB84-6152-3428-00000000FD01}6204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382033Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:20.130{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382032Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:20.130{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382031Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:20.130{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382030Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:20.130{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382029Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:20.130{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-DB84-6152-3428-00000000FD01}6204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001382028Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:20.130{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DB84-6152-3428-00000000FD01}6204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001382027Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:20.131{5EBD8912-DB84-6152-3428-00000000FD01}6204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001382026Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:19.999{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54ED0959BB332E0568E9D9B0378BFF58,SHA256=1223A2F3BBC36D9EEB7FD3B306FAE11FCF949400034D7ECCABEF27250117CF10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288173Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:21.887{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B43A662D3BD5889D1F948C2399A8A70,SHA256=3E96EF7BA3D5D1B68796EF486C2A68C2582206CA0F3BB5781757C2031CEB1071,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382040Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:21.158{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-18324-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382039Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:20.438{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-13226-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001382038Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:21.698{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=694BA0B212CD077F61694A829B4CC41B,SHA256=3DAB48BA84373504331EFD73FB928BC28AABF803EB3FC0FF13FFEAE3638BAB56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382037Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:21.030{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41FBA6F18D693839F8E84B6ACECECD20,SHA256=D91390B08969E56D11CAD389FCB8E68DDC05D9DF2306E655532508F3C30F40E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288187Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:22.887{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19A1371973744EB83BBE0640F8980E5F,SHA256=1AF157FB52FEAB8ED9D64A45BE690882A0BE68B5293E9EEDBFA7ADA3E6BC5212,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382045Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:22.715{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-22250-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382044Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:22.390{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-24271-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382043Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:21.570{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-17657-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001382042Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:22.782{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=059616375783264EB63DA30F0BA1657E,SHA256=B822DC6C0C3164477C70574BFFA7149DAA221C7AC83E012539846D8C0A2B4B51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382041Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:22.048{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B61702ECD447BB302BEF84277FDC438F,SHA256=F0E52AD53ECF9CB7898A91EC7FD080D741A56983E8869BDFC58574E442B6EACD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001288186Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:22.591{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DB86-6152-2BA1-00000000FD01}2060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288185Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:22.591{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288184Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:22.591{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288183Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:22.591{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288182Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:22.591{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288181Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:22.591{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288180Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:22.591{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288179Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:22.591{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288178Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:22.591{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288177Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:22.591{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288176Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:22.591{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-DB86-6152-2BA1-00000000FD01}2060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001288175Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:22.591{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DB86-6152-2BA1-00000000FD01}2060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001288174Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:22.576{69CF5F33-DB86-6152-2BA1-00000000FD01}2060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001382049Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:23.965{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1B63F54F1EAC541A06957AFD67C193CB,SHA256=D170F50A519B6C09CCA47AADF4A645A33C6CFB894ED5D609523A883C5FDC182C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382048Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:23.505{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-29874-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382047Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:23.174{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51305-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001382046Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:23.066{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3501C6B770330A17D4981C68E918A22,SHA256=0992DA32AB21145CCD66C53A47104680DE81FC164FDEB5F832CA5DD3446561E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288189Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:23.606{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6B09F3FFFFDEAAF66E57BB54787F5F99,SHA256=521D3ECD2A20701E8694D349A318E91AC44885FF7C54DFEABC8A607490146B85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288188Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:23.606{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0AF57EB6A1397FBFE4AAFD9D125900B4,SHA256=CB10458BB862DBF012443C6F5F2DABA15C62A8B27007BE49085426307CC49FA1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382051Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:23.794{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-26301-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001382050Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:24.081{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76DE453E6F470AD2EC6859445BDC58E2,SHA256=8286AC97B9BA48F2769CF867EC61C44EE58ED2B1EB8C746AB2C68710A07B999B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288190Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:24.122{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88597917AE445D32EB1318A16B7467AC,SHA256=795A3D42801598078820EC49E9C2CD1AAEB6B8263BFF9FC1049906426D18EA1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288191Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:25.153{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7877FAC9ACA3D83D52B8B3FD8AF272A0,SHA256=9669780514CDF43BB075CB6EC0C0E290751761F19FD8F5FF8D51D0341AEB61DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382053Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:25.128{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90631093BA6E046D02B25BF2CE1C8EB7,SHA256=AC457CF2E543D68DE651A2D1BC3BE178FCF3E23185CABC371CB502082753F355,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382052Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:25.045{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1470952BA0E7D6E5ADEE2FE879CBE83F,SHA256=8A798CEEC06BB56A934BBFA826C86B873AE7430C2D09ADF52F6F40997F945891,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288192Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:26.169{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57EB295CBA72056833AA076A3FFCBE20,SHA256=BE85C484C8D60D7185A8BD0038BDEDF096D97A3111DDC37466FBA8F3CA3B39E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382057Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:26.195{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4CC9E3DB9F5964564E1B11054B4BB6A,SHA256=72BFD89F8D145A9B19BEB3F2137994AD5D6C7E855B642B76F0D7651E0EB2193C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382056Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:26.064{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B46F7BAC41B10045A090A88B0F4F2A92,SHA256=7BA415FF874BFED17704B542D8A2AB1887D2A0B1A9BF6C78F821B2CEC4D5BA6A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382055Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:24.977{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-31006-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382054Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:24.641{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-35570-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001288194Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:27.387{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F79DEBF08C6BCCA3C4DD3BDFF707A3BE,SHA256=1499EFE2BBE3DA16EFE71ED9C32F0CB3D4B92290390C3433F4315B7CA657F6FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382061Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:27.226{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FED18DA62757BBBAF23E0402A1AAA7E,SHA256=BAC7E9CE7864AD5A42556C7F2A3BA702F8311DBA4D0318C7AB1A065642DD9974,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288193Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:23.505{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61566-false10.0.1.12-8000- 23542300x80000000000000001382060Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:27.211{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9CA13C25305B518A740A012309106CEC,SHA256=9F713F1C19BB169EA6A0764432EBE6B20407C3D6013AC0BDF10FA6C26273D94B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382059Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:26.055{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-35370-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382058Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:25.933{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-41663-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001288195Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:28.434{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CBCD85850886AE2982C4E7A0F2A9746,SHA256=16C7B402E1FA030B6388877FC406BA44480068055BD6C7DC834C8EDB54147191,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382065Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:28.296{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5F578B114A174862835CBC249F578DDE,SHA256=4C7DBC316FB9840B4BC87FC1442CD77AB80DEAE5BEF7182E053B4531867CCAB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382064Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:28.227{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=832602177C8FE6D65B55086D36F2709D,SHA256=CEDFBCF97294074D00E88176B1B2378045784E5C0DCC208EBE6C2E3D765BD93C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382063Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:27.139{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-39542-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382062Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:27.108{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-47775-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001288196Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:29.497{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C54ECEEA6214A84C41D24D9D3C47CBEC,SHA256=42EEF27C57B18FB2903833A57D02D889990669A7D1B99805E82F90ADBC745308,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382070Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:29.365{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1A7AB918E356A87814D79BA13AF7E1AD,SHA256=06D90CECC278C7AD4DCEE47F691A433A4F96C055CB06C702ACD8E7AFE86EAD99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382069Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:29.246{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=925906ABBD68822E0D1484B11FE53052,SHA256=1E180763DEC496F7F14E9D6A5F06D3F7C6CC43E53CA8552E58D13098E497D102,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382068Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:28.462{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-54214-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382067Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:28.223{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-43874-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382066Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:28.187{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51306-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001288197Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:30.669{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22A8ED250C79D7DF72D51A3E6EBF6E74,SHA256=33747EA67D36699DD2EC0CA9A3AA21C3BCBBC164432309B1C64EDAA4B23F088B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382076Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:30.850{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-7250-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382075Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:30.393{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-52313-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001382074Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:30.463{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9C9A709174CECDC811588BF5ACD6FF49,SHA256=0BFB3A8EBA0C41FE1C5AD90EFD89CDD9B10CBD04825FCBCE0A40B0771EF26716,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382073Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:30.295{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=200488B76D764C6B1A38C1C2EB821264,SHA256=B1C351E578762B03686DC05B9AFA82CA0A8F052506345E25D103F74F172D603C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382072Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:29.694{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-1483-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382071Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:29.309{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-48008-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001288199Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:31.778{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF9E5BB86D7DF59708721D1BAE18B675,SHA256=C6022C6F357CBD13123EACAE2E9FBCDF346B44DCBCC6EAF6F7670BA1FA7A6A1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382078Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:31.545{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2D75BFF44CFF7C56655740829BC4C187,SHA256=80B6DB9ED502DFCDBEBF63BBBA7D97C5A9E5C49456BE5B2AB983E4B0CB767F59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382077Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:31.309{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE242AD35544B185B69B52EA1A0E1942,SHA256=B86E35F9A9D406FDBB805F24C6180E19745861688801B377712D45FD402AF7BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288198Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:28.520{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61567-false10.0.1.12-8000- 23542300x80000000000000001382080Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:32.624{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=977C56F441ABDB3991002CA02E4FFB32,SHA256=1FFAA5D795D2352E05847CAEE7F7CA613DE3FDA545FA3F708EEDB9E734D39380,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382079Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:32.324{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B2C75BD07D078A42DCA1B66D6FC60C5,SHA256=77C47D937923DCF442ABBC280E8D9539D53F52333452052EACC04F564FA9C8A9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288203Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:29.433{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-46715-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288202Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:29.358{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-46328-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288201Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:32.231{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CDCA9DA793184B5D57167C89BEDC088A,SHA256=EA98BC963A5829B0913E3C28ACC488839A84CC93F4B6185F53CF5F4A0C90ED50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288200Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:32.231{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6B09F3FFFFDEAAF66E57BB54787F5F99,SHA256=521D3ECD2A20701E8694D349A318E91AC44885FF7C54DFEABC8A607490146B85,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288206Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:29.571{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61568-false10.0.1.14-49672- 23542300x80000000000000001288205Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:33.340{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CDCA9DA793184B5D57167C89BEDC088A,SHA256=EA98BC963A5829B0913E3C28ACC488839A84CC93F4B6185F53CF5F4A0C90ED50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288204Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:33.012{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E6E0C61837B0D1CF7906CBD66C717EA,SHA256=423295507B913B4735A53AE8A89B528B948C509DF59A503D0606C3AEC8981314,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382086Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:33.761{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=524F4F2114FACBDD3DAD9513A03F36A3,SHA256=89199E8542F22F5887654446B7943F63283B1211ECB19D773520DF74A948E90B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382085Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:33.343{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1531BEF60D014B6BB4356CE69C7F190,SHA256=E94DA323CFC27928C3BE753FF69B904F91986AEF09074C68FC8500531DBB5C65,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382084Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:32.553{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-1841-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382083Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:32.246{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-54261568-false10.0.1.14win-dc-429.attackrange.local49672- 354300x80000000000000001382082Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:31.975{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-12283-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382081Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:31.475{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-56471-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001382089Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:34.892{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D49D86BAC7091189866E676F481652D2,SHA256=815D575B946B0A5627924025C8EC6F6546DCA591ED4647F3785B0877588352E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382088Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:34.361{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AD9E73D51D20589683B9F01E9FB6556,SHA256=2C7EFE4E9C463F657671FEA5B352E5787D2CA20B8CA9BB0A7CF849DBC5C6211C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288210Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:31.808{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-58919-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288209Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:30.615{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-52821-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288208Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:34.762{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B917497D1FA75C8B0107B136E6F01529,SHA256=344FE4B9F8649EDFDBCCA0E38C4CFA6BAEC03D6469600770C368231EF7D3DA6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288207Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:34.075{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33EC6E12148336DE776881A3228CBB43,SHA256=A650CA4213899C9808B94DF3880C1ACE617F3BDEE0967DB2EC99F632AB0C3BDC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382087Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:33.075{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-17919-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001382095Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:35.975{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=98D1EF8C8DEEEF42B5B0FD80634FF2EE,SHA256=2F83F91F26972776273235C8029C8660A5AE43AD4CBB18B3DC0B3A9259D65475,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382094Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:35.376{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81F36F2099EAFF0FC29D9BA40DADD2BE,SHA256=5421C3EA447FDA99BF8BD08DFC24FCFBD2AE0AAB113676DEB1F41556146BFFF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288212Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:35.840{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D6BAA3D60CC3301659AFD9630AE34B64,SHA256=E5262497706CAB0431FE105EFB28CEBAA5F467E72DE38274702AE7C8CC4EFEE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288211Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:35.075{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAEA3FBBFDE1DE8CC614844B4DADDA32,SHA256=065474C9926BBB0CACD074B39FD5317A32A69E11542C2499393CAF9D80AF3BB6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382093Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:34.788{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-10677-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382092Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:34.336{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-24014-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382091Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:34.153{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51307-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001382090Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:33.676{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-6165-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001382098Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:36.390{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AFB2C4CDBED857DCB3D5A2ED6CF22A6,SHA256=29AB745B7E8FF634D67255F55438C524DAF28D6407A4F8E3BA3D00371393A77F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288215Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:36.919{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F2F5EFC05131A2F0E2C1CF042A463926,SHA256=2CB2729F0FED1C816AA2E2BEDD1872FEEA3427D5F9C9B9737A20F4CF769DFDE7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288214Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:33.135{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-6689-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288213Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:36.091{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C95E075AAE24EB45CBF236E073DED454,SHA256=B9BCC03593F030FAF5D9C72A4D00B5F2739F491D249365C83BDA1FA8F80DCAFD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382097Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:35.905{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-15402-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382096Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:35.589{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-29731-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001382100Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:37.421{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CF81F15FD718B41539103E21ECD251A,SHA256=F88B49C9B61BA8850217BF739BAAF15C150F57901E407EB3076E573E8FC87EB8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288218Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:34.442{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61569-false10.0.1.12-8000- 354300x80000000000000001288217Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:34.213{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-12161-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288216Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:37.090{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A30E86BCACAEA4F33A861D34CB38C2B3,SHA256=831EE8E0673BD191F7DC9B0F87C67A881BABDDF3FF16B458A74439633C41FCD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382099Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:37.058{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=674F6B054BDAABFA9E214362F49F5BA7,SHA256=1114C6E7DBCB5C4C9B71A603ADC56198167056E7DAD9CDA9ACE9696F23E785BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382104Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:38.439{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F5443F602D804CBFCF3F6105972BBCB,SHA256=D83E30F7440ACC640DB1FF1D1FC19259750059BE770C0CB1777A0FDC6684DC68,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288221Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:35.291{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-17565-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288220Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:38.093{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD6F228C20FE059B602BC2FF8B024345,SHA256=625AC8DA52D95926CD09128C1EE20939DD53244E6311BCD6A936C204F1E639DB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382103Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:36.988{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-19734-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382102Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:36.920{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-36178-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001382101Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:38.189{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C6AB0F04724B78576645306A3E97D195,SHA256=152BFA3B8E2F10434ACDB312B1BDCE490F61ABEB199989B0A3356A58442ED35E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288219Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:37.999{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=713587F2046092824EF66A96580696B5,SHA256=26BF8CF554145FDF8155D2B9AB203B91A4392F516D8B20B889AC923DA8203CF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382107Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:39.457{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C467BECFB459C1AA7960341E42DABBF3,SHA256=F73E3A66E987F21C3DD4D419DC8ED4A4BFCB762917D97BAF9F05B79960397E45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288223Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:39.108{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A81FE0A5ABED4575875AC746865FA6AD,SHA256=E8ECA3DBBEEA168CE30F23EA430B4EEEC874772D400D4DD51AD4D38A27EE17FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382106Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:39.273{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=29FF0E1F347634EF088ED5D048121EF0,SHA256=219E95699FAB8A5708961AF5FE6B5269A539AF91DE18E8136A0A740B4EB965A9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382105Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:38.071{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-24101-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001288222Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:39.077{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=533A7CEB2BAC60123E78D4DEAA607209,SHA256=96B7221CED6260513FDAB41A79533B1AB1A7F5AADD5342E5597683DE4F143BD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382113Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:40.472{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FE9C7EA7B973B24631E4A28E9982C0E,SHA256=D0913A8454026F872B34733F0DADB532DF1B56322DE9C0235EECFE5A04B44F04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288225Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:40.218{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=513A4A0FB6E98E9BC5283696F3A615AF,SHA256=BB5452182C1D5330F58831D18B453AB6B039FF2691CB8B2EC1DF42E1C74E2DCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288224Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:40.108{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A511B5A36CAB4112C7C9B1DF10EE7B8,SHA256=33D4BE5A13D1025C4BC3F765ECF47747821A7C656BB112A9274800A3F4D2F380,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382112Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:40.356{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=33CB484290AF6BAB82992960F50C0D16,SHA256=0D8A6CBBAA6B965D27EA1A2E085283D2B9D48F65D2D81B3C9090157E8FC3507B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382111Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:39.433{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-48601-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382110Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:39.201{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-28556-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382109Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:39.165{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51308-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001382108Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:38.299{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-42748-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001382115Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:41.487{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=41F1D8361E3EB93E278D4F4E57E7A68D,SHA256=62798E461DAB841DE365FAFA3B159B13E894BF6CE061FA7022B9EC54386947FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382114Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:41.487{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CA3182E6D5F4FA18FC3EA03A191DA27,SHA256=BF18DE74882F5212D109F3C7BFED72A06F578E66A165DCE919298584D10DE83A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288229Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:41.608{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B39A00187730BA59FD5C09A39A6D381D,SHA256=586C610002B6F5792DF050FA4AB318E9F41411DE1E63D1FD199E23C300BD2B56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288228Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:41.124{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1E08E2EB00BD756364A60758B11BA29,SHA256=7E3EF9D413E7EEE27404E29013DCAEB8F7B14FC3EBFA201AC7E51FFBFB481988,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288227Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:37.466{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-28947-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288226Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:36.371{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-23115-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001382119Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:42.570{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6F64599B8749C93A74CF88907394A534,SHA256=0FEAF7ACAECFFB0B0E0F9BBC8B8F25E67D1F6FEAB2669982CE321193BEEC0CC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382118Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:42.502{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B84D918B2B4033E456D628EC660184F,SHA256=0443B69DAE6629A63031CF2D00DA84C5DFEBA9390561C909C291E5FC66B4F387,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288231Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:42.874{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=476407F1BC8DFB35F183CFEDB3246C37,SHA256=312CEFD98C68FB8AC1EFA6E7BE13F0C9270D727D02A999871888EEBB0D2B47C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288230Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:42.140{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BD7FE120385142D8DCFDAC520158FA0,SHA256=EB0F9A56004C31036126557ED96D74832604684BF848F5FBA7DEB27E6CD8ECE8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382117Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:40.781{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-55250-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382116Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:40.287{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-32870-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001382124Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:43.701{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4E3847C6BE7D48F5A8DCAE0301514BEC,SHA256=D8B3C171C87A06C16306292B23300741516AABBE19FE208809D1FA8348991FEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382123Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:43.517{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEA970BCD236D38E3C38312E4B5E06EC,SHA256=60D1369BEA141A7F34BCE2D7117966B42FE923EA01CCA8302375DA58CBDE0981,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288236Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:43.952{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4C59B62DCDF8B358F76E979A2572E8AC,SHA256=4270229B6CAC3F76C81C01E9422AD005DE1E870A1D173A1E9EBAA310B5C2C773,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288235Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:43.155{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62319F6B353A4FB7F7615DE5AF70E7F6,SHA256=B6ADFBCD06ECBF6D140C31632F1B3A2BB388454ED6DB8EE905AD211E162A1C4B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382122Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:42.500{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-41624-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382121Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:42.046{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-2399-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382120Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:41.384{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-36990-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001288234Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:39.996{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-40734-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288233Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:39.616{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61570-false10.0.1.12-8000- 354300x80000000000000001288232Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:38.887{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-35621-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001382130Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:44.789{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2BD6D744F1A6DB055FDE1923AE5702E4,SHA256=72890B42CA26FF1B50C0CCE383699B6CEAAD2F7505BBA1C1A11CC9EDEC9C4A26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382129Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:44.542{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD2CAD3D341E56D9164579F0E0FECF25,SHA256=16A6BE0BE02B04DBF506A524A3D2DAA90913E1BE53CDDA9D2E3CE020D018F6E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288239Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:44.233{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=49BECB2C098FE630D49D6ACD5A35F049,SHA256=4AD712CF35A0D604603B20757AB67FBBCA96D1029CA5381FE21ED37C2FD7A523,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288238Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:44.155{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=593A4C0094635C9D9AB7E538185DFB1F,SHA256=26E2DAD004C06DDA811A23F1316C221E4F527C78C1DA7E28D3481157BC638071,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288237Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:41.246{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-47441-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001382128Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:43.597{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-45866-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382127Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:43.168{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-8259-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382126Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:42.978{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local51309-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001382125Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:42.978{5EBD8912-8CD0-6151-2800-00000000FD01}2200C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local51309-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 23542300x80000000000000001382135Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:45.859{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7107A9806E8333A65B3751C74E232EB0,SHA256=016F87003FFBEFB79781448074D9E04E3502F3EB9BB024DB0096F0F629A8C5F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382134Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:45.574{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AF084E52CC72AB0F852F3E376239D5D,SHA256=889AC722E041BAEA54A13A55D136197055E2FEBEC644C58E4CA08E0F1CBE5572,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288241Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:45.171{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30FA916BFDC0B6E34A1AC6AF57558CD6,SHA256=841E1DA1A98A30B0293396DC4F24D8EC5F060268130183F7B32EBA80B0510F06,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382133Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:44.714{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-50252-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382132Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:44.384{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-14170-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382131Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:44.224{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51310-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001288240Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:45.062{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=088F88946A81E7C156C3CCA167BB1B71,SHA256=1E1616562DFE14308BDA66008289113CC98C6FD94F1F45C96DACBE13C21C8428,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382138Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:46.959{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6D03A0BF6279462C693BE1256D941F48,SHA256=B7F7A65E7B697C5097C7FDAD8F3DE4A10E8C8D93847A293F9ACC560726B320A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382137Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:46.591{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3549DA3F306B7DB15AE082176011692,SHA256=7C3F287C96610FE3ADE735756F23184D4755694AEE299EEE29B60B0AFFFFF3D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288245Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:46.968{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288244Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:42.326{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-53077-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288243Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:46.187{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D47CCEACDF4D5C6073B5A206E1616DA2,SHA256=87325EEAC3ACA711F3E971EB739556ECBA53B413B962C3F0EDF0094E2E8A9088,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288242Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:46.187{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B751E2CF1B030013BBEFE0F2918EB748,SHA256=F91CA148F044220534AD5481ACC41945450EDCC33A5C290EDDA4311AF4C01A79,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382136Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:45.649{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-20217-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001382143Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:47.606{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9144068811F5B0E368B5D7DB9F106D48,SHA256=146D8B94135872EAE731F9E75BA180D158DA5B9906BE2E968BB21A815B7C932F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288247Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:47.436{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BDA7A48703BD00B1D6BDBCC3783881A9,SHA256=CFCF25CB64C956D7C52913605F2A4C94D16D4D11521F5983C44E466C8FB6021E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288246Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:47.202{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7B177B1C30B7DDF63CD159BD0E963D9,SHA256=D788A9BD392DD509BACB11A71558B88D064867EEA4A1EDEF423D88148988C4DC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382142Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:46.911{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-26521-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382141Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:46.887{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-58956-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382140Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:45.802{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-54650-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001382139Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:47.490{5EBD8912-8CD0-6151-3000-00000000FD01}1956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382145Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:48.622{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F70E8F1C16836D69B69453B1610CE87,SHA256=DE3F5C212B8C87C113112EBF08594F657834770C2A2BF28FC283A18593F2F40D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288253Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:45.413{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61572-false10.0.1.12-8000- 354300x80000000000000001288252Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:45.304{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61571-false10.0.1.12-8089- 354300x80000000000000001288251Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:44.703{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-5994-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288250Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:43.440{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-58494-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288249Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:48.561{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FDA15BB955D6BE73E41E44F046ECF904,SHA256=AC43C6B69B5779B99A43D18EAA9AD7EBE5DD230728C952C2B343FF7DA7BF60D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288248Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:48.202{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0C9938CED26244B9CAFDD63CB5D1EFA,SHA256=C22B2D4BF51426B2089C572132ECB71838DCB82D21CD3E6DB840ADA23AF82ABD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382144Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:48.043{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FEBDE5ED8FE64526D9686CFB0D124017,SHA256=02D4B3EF357528DC658578F839FC71B550EEDC0C6AEF3C3A358363677026CE67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382151Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:49.622{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C83793E872C3E010165204D8829BD951,SHA256=F2B314BBDB46571620D60829678EECFCE1F3F231E3FFCC899E3F7E2B84E2AF5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288255Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:49.624{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4F158DE979B9C7C7FF1C62B9D948D599,SHA256=4C2CF4BBE9909E56A533FF056D1656C9987CC1D265C0FCD70A193CBA6A0118CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288254Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:49.218{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0F333B8E1F9B3F4F134FDD20A3D715C,SHA256=05DF304C15754DA559D8421A4B025B291C83EC62706F103429FBBC1B00DF6FAD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382150Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:49.053{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-8051-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382149Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:48.466{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51311-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x80000000000000001382148Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:48.232{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-32782-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382147Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:47.971{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-4259-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001382146Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:49.107{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FE4FF0CEFB5E7EEFA25D91647BD0F5DA,SHA256=BA0C17D7E4938105F8FA3423425D33F2ECC764FAAAF90BF7A1B8A561DE9E2FB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382155Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:50.643{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AC4BBA113D92077CB8D25AF1B304C55,SHA256=24D41187282B6EEE24524446AD3C59CC01B0C386B9FC3BE7D4BF03987030BE64,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288260Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:46.934{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-17531-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288259Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:45.821{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-11623-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288258Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:50.857{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=54DD90C39BD8A9A5483812A294D158C6,SHA256=6734A413D50A732D03EE79B81673CD56E501D21C0C5B774326513D9F14988633,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288257Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:50.346{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-5709MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288256Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:50.218{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0679FCB9F331926FCD3E9BF4A919ED8,SHA256=FA09768684EE41CE83B3D4588FFB4EFDFEC63E31406F59E17E062627DEBCA689,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382154Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:50.029{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51312-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001382153Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:49.562{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-39434-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001382152Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:50.322{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2EBD47329B2EED84AD149F6B6049323E,SHA256=15A37DF413C9287AF13980952F9DFCF68BE7394A46AFFF52EDFA8330723D41A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382158Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:51.659{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72B59915CAB49D06CF27AE4E6DF48C24,SHA256=EA8E7EF50F75A4822881089333303B63A7D292ED6800CDF754420EE3C0535383,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288264Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:51.936{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A95475EBFFD94F4B59C62D7D7FA2EED8,SHA256=D2A2BEAA6CEE2ADE7F8CFF469F6DF19DD78ECF88A95422BB7544BA15E16022CD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288263Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:48.093{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-23105-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288262Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:51.358{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-5710MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288261Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:51.232{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1646F06ABF718E920A53069499FB465C,SHA256=74712BC2D860ED978B4CA25FD12BA2CF443B2B7A98A57F55BB6DF55814DD8D7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382157Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:51.406{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4A76B0BC48959984C52FD9509DC37E08,SHA256=3FB9B96A6299D9EC314F3957816AEFBF4E6229B2FF90EE99BD582AFCB7A745EF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382156Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:50.242{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-12570-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001382165Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:52.674{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D586BFC0FF668F236BBE4360D45C586,SHA256=65622629BF132FDC1F546861F70B3E9CE1CCB4C888B55DBD236999CB329B29A4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288266Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:49.229{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-29243-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288265Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:52.233{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5952322DE475F82779EFC56E9F293CBA,SHA256=7C626273FED9DCC8121382622DF356EEB83CF56562A857A022E8B7F7191C5AD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382164Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:52.489{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=53EBBFB42C0FCBBC306061BC1B833236,SHA256=C0B509B58A382826328DB6300FE5B8F1CF5D90D021B3B7A1BEFCF7511DF13093,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382163Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:52.149{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-51804-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382162Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:51.334{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-16907-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382161Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:51.105{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-13315-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382160Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:51.066{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-12754-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382159Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:51.050{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-46325-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001382171Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:53.689{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B22BB0AC41C99E584C778F85A8054E10,SHA256=AFCFDC075A61936D7E9EE36DB3D3A5705447F6BA730573F4ABD1D91EE7CF1C58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288268Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:53.233{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F853AD79073C1396C9ACAC4D6D1EF3C,SHA256=105029320FBFDE73F7A708FFB7BBC157E9D46133E20D8A7C9C64C870418CD24E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382170Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:53.520{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=66CC9439A46ADFB4CAFFF5D283FA31C7,SHA256=22AE495C6F2AEE0995905E842ED03CE6BECF88F74895A87DB7FE6E0B8A8EE389,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382169Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:53.260{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-57400-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382168Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:52.419{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-21456-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382167Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:52.318{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-22003-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001382166Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:53.361{5EBD8912-8CD0-6151-2F00-00000000FD01}2544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210927092018-1392MD5=418358CD28D1B50422280074BE968B1D,SHA256=C8286C1C0A91E4E2C2FF9D12E0FDD08F235EAD61265C1678C815B6AB5A1254BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288267Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:53.030{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=62A2AE53F80BE26548399656E972117C,SHA256=356175D7F033F100B00DECA5DBDB74AF01A9E22042404E5043212D7868116771,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382175Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:54.704{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97A8CCB7D1F01C01C71BCDB4560479F1,SHA256=DA6E85CEF52644C517F3F43661C8BF1FEBEC3C9FE6BFB1C2558CF3C22CACAB92,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288273Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:51.439{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-39805-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288272Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:51.428{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61573-false10.0.1.12-8000- 354300x80000000000000001288271Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:50.310{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-34769-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288270Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:54.233{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A01244D4C537B8CE138CFD48D4C122C2,SHA256=72398EA1D0596AE6E4A9BCFECA2A5BFBF4532AEC2DD86F23C18EF1BAA73B1F76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382174Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:54.604{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FE6C6B6C3FD2A9D79D3FF1AF2280DBAF,SHA256=D4B72EE653E39616430A8F25767201C72F10ECB1AEF05813DE8590F63D1107D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382173Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:53.403{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-29701-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001382172Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:54.374{5EBD8912-8CD0-6151-2F00-00000000FD01}2544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210927092016-1393MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288269Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:54.186{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=10922D70555E61EC5D75DF01FC1CBE49,SHA256=90C6FF13AB01D34D84006D7FF1993FB185CB8DE5F404DD8B8C0AAE249573FB5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382178Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:55.723{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=26E2EFACCFC758E74142DEE718787455,SHA256=7FD4285693F77D23DD792E8123A0A29B0C53BA8CE8A5A462A99BDC76571345FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382177Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:55.707{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79E6F189E52C9DC44E6A2849A1604492,SHA256=9E9D918F0F02695680C60C9B5A97131A7AF3AAB1AE0D54D9C50997A92AF4851D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288276Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:52.670{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-46394-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288275Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:55.389{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4A45C4556E3CB7165A47770EC5ECFFCD,SHA256=A43890949BE24B93C81ED2EA6A70090FF6854E457CE8E3D3524CF9204350ABFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288274Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:55.249{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACCD96EB8A87B3BE03EB6FD7F8FDE2D9,SHA256=BF1DC21708DFA9BAA15E9F35AE61AFA7F9BCF56F05072BBCD4002AA9B35AEECC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382176Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:53.501{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-25427-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001382187Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:56.824{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8010E52FEB443AB630CA45069F79021C,SHA256=E376CBC6F8E2401C17A536C55391472FD9A8621D43FF8761E2D145E907698EEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382186Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:56.708{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1A28E3BDABA2EE58CAAEF4BDADDD0C0,SHA256=BFA7901DC8B952028E3650AFA636A8D13DF3E9C3F75DB0B2C02A63D1F5FD0B6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288278Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:56.530{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=83D2A27EA3118BC521A4717A53C4C9E8,SHA256=FAE100BB2804CC91225FDED06F8C7CAF801312DF79F069038D4AC1B1A8981BE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288277Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:56.249{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C07F268A3DA5EA7F55105CA4B281160,SHA256=7BCE466BABA7C7EDEB35E1C206893540FEFB8CEF4512338160BED3122AB3EE48,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382185Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:55.926{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-47211-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382184Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:55.669{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-33996-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382183Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:55.632{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-9823-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382182Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:55.180{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51313-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001382181Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:54.786{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-39230-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382180Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:54.587{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-29851-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382179Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:54.485{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-4295-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001288281Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:57.754{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D547193763B3ED79D75696474A47BEF,SHA256=9336B8D0E666E97C6DE4C31136ACF1CAFFBA6A0769313FD7729B5B3AC21366D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288280Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:57.483{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=606B6F00779BC4430AA1F172A4FACA6B,SHA256=D44FC5E0B773A89A088C67F4D70983BF76D8D374782A903A5282E6DEC899E980,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382191Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:57.942{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5CB60DA47CF327CDA391511340858755,SHA256=D0ED4F8AADF664CAAF2992080B0C0848E187E85B1FCF8DD19D569EB1D032F52D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382190Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:57.723{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3055C4E34FA9C4F4F159FCB514EA878A,SHA256=2F55A00F30A95C0E6C14F285AD906D42AA968BA27C8409B08E0040B722BCF9EC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382189Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:56.806{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-15976-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382188Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:56.751{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-38356-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001288279Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:53.761{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-51896-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001382196Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:58.744{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34AB30D512EAAF32052F15A9ED955C5A,SHA256=EDC6ACC0A0E620FB4344B69FB89828E8CE4E0AC65D44288B90D429C917CC268D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288284Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:58.847{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C3BC98B2A6D27368BE71ADCDD25BC49E,SHA256=C9428A368FFA063DC999C53E239E2B86AD64D685EC417A24CFF6B45E6B6698C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288283Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:58.676{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9D5DD729EC7D2608365D39797012FA5,SHA256=077A5FB427C301D9855EEE1FEBA72C43E611C1F736D4A548483EB12FA8C202E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288282Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:54.985{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-57867-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001382195Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:58.186{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-4308-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382194Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:58.036{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-21884-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382193Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:57.849{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-42764-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382192Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:57.090{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-55608-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001382199Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:59.791{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60023F7F03C20BDEFE03DA516C991309,SHA256=F8FD3744EEB254D8952F68357A5507940DEA7012D0CE25E84EC9457504297839,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288287Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:59.988{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=19A4A1C3B7660433214ABC52D0DB07EC,SHA256=D81B0A457E0244A813E4D4C31822723D7FCA1F954FB2109C8F28817455F54F63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288286Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:59.769{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECC5A58A536CC9EDD2659C0E305CC39C,SHA256=31DCFF64158678D52C2D3F50D9451654B73A5BB93A16D6362794B3FB44A1D6D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382198Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:58.951{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-47217-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001382197Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:59.022{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3BA9E453B1BD926857ACF723C08DC392,SHA256=61991E497D5A4E08F7C2C683F2017FC32F088C63EC3F430911822369E33AD841,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288285Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:56.133{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-5237-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001382204Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:00.805{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12854B693A024837E9DA1594F4588200,SHA256=DADE00FCB70DC498C34D2A0BA33A50568AAFD0788A4AD2B145024649372F061B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382203Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:00.101{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-51821-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382202Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:59.414{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-28256-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382201Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:59.288{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-12655-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001382200Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:00.206{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=96CCCFD7EE3D36419C54A9F45B5B3471,SHA256=9925DD4949366A03EDB9F740316C89551BDCED57CA2DAAB1927EB8AB043EABF4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288288Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:57.235{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-10770-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001382225Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:01.842{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6139C029557F466064699BDE2D70844B,SHA256=B044BC96254F97E57A620850CFABB98731884566CD0982E14D0EB62C11D161DA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288292Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:58.380{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-16778-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288291Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:57.433{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61574-false10.0.1.12-8000- 23542300x80000000000000001288290Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:01.129{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=515D2F5CC4D6C7DF1BDCF660B4D6B68E,SHA256=0957362D13DF909842F5A285C9B1DC2774040E72878707B81129C1C30104E029,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288289Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:01.004{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B9FD475BB58011EBCBF96B0D375BB3C,SHA256=D569898E4D31AB78BE8435A45AFB5F2EE02C0ADF50C8B9112FFA95F15255BB0C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382224Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:01.360{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-56824-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382223Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:01.326{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-56753-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382222Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:01.303{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-56658-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382221Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:01.280{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-56573-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382220Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:01.258{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-56362-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382219Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:01.232{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-56225-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382218Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:01.054{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-36609-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382217Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:01.032{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-36487-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382216Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:01.010{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-36376-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382215Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:00.987{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-36256-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382214Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:00.964{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-36037-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382213Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:00.926{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-35788-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382212Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:00.889{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-35492-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382211Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:00.853{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-35299-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382210Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:00.814{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-35179-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382209Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:00.787{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-34902-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382208Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:00.749{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-34808-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382207Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:00.727{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-34663-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382206Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:00.561{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-21169-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382205Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:00.214{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51314-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001382249Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:02.873{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EAFAA08C7870F922F92C0D12DEC96D9,SHA256=65DE52636D8D5F809DF75DF243D67AB432817306E6AA92CCFD7F8E95340C2C45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288294Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:02.301{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A993477588DCB2B7FFCB826F8D0348EC,SHA256=A7F0F1ED021E368F7B892D132527502F712E398647757E8BCCEE5554E168AB59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288293Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:02.238{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DA42769525C673B7F09DEB63F1A2B3B,SHA256=E1ABDDCC895F86AC2967AF2548DF1962332AE3592ED1BB048278BB8F9DA9772B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382248Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:02.055{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-31422-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382247Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:02.023{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-31278-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382246Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:02.000{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-31100-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382245Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:01.977{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-30967-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382244Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:01.954{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-30815-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382243Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:01.931{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-30629-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382242Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:01.905{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-30302-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382241Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:01.874{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-30140-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382240Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:01.824{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-29918-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382239Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:01.786{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-29676-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382238Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:01.748{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-29544-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382237Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:01.725{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-29389-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382236Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:01.703{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-29238-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382235Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:01.600{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-57829-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382234Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:01.578{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-57743-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382233Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:01.555{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-57649-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382232Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:01.532{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-57562-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382231Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:01.510{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-57472-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382230Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:01.488{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-57378-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382229Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:01.465{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-57272-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382228Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:01.442{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-57124-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382227Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:01.405{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-57036-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382226Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:01.383{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-56947-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001382250Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:03.887{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=806411164A7035F979BDFBCD31C4147D,SHA256=F4667C9668B07B8FF7CF27E5C9FC61CEE94B683DC5C6156B7E3417834D30CD2E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288297Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:59.560{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-22701-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288296Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:03.426{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A6B8E5C0727BB2DD0569A43B8E3F53D,SHA256=112BB2A41C8A72A23B119BF7E2588E9C13898CDBC527CEA62E76FDCBD592358E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288295Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:03.301{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E554FE6F3A29B6633755801BCC989AE6,SHA256=1A96826505AA040550E9559BC3C95DC689ECAB00EB7567B9351F526959A00183,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382251Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:04.902{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90E224B3CC2B92A641571169DE88C7CB,SHA256=B45B4FE57AD8AFDE1F91A6594B7C9DD27FC46A7CCB55658E31888A488286B497,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288300Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:00.688{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-28731-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288299Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:04.582{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A3C6D57756092B236A1113C00AA4521E,SHA256=366FC10D3AC1207F981B113DBA8F9D3C37C54915E261CA955DF5F1E9297A3E08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288298Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:04.316{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=742E29FFEC9BD78B59A4042BEF74BC68,SHA256=A7613F92BBD14C693B64E520CB6CB7D1B90F10F2CCE685639691D51A9858E964,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382263Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:05.970{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AA8E03C9C6073076479916DBD874D5C,SHA256=618A4679500390BFFFD6D5DDE30C5F3BC7C3800403DE070A9F8FF6AEE8EB1C15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288303Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:05.801{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E8D6352D62C330307C8741D4CF2D5F42,SHA256=2B29BA23BD29E73BC62DB81AAFEFA07667E1C8DA43D4F811B689346C353C03AE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288302Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:01.813{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-34418-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288301Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:05.332{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12C717AB2B0ABC065DBAB2B1495610A1,SHA256=DB19B8189963150ABD96F20315AD05F929DAEE209588BD8F11C1459D6D32B830,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382262Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:05.410{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-54531-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382261Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:05.373{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-54336-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382260Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:05.349{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-54072-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382259Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:05.312{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-53809-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382258Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:05.275{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-53664-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382257Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:05.252{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-53487-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382256Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:05.229{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-53241-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382255Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:05.192{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-53098-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382254Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:05.169{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-52830-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382253Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:05.117{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-52660-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382252Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:05.095{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-31482-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001288306Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:06.894{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D3D3D40F06D58BF82F1AD536C51BDA59,SHA256=D4CAF27575A32D6CA35CBF7F57E9A07A5D2D3A81CBBAEAC9B81F16F88B8AFC31,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288305Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:02.480{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61575-false10.0.1.12-8000- 23542300x80000000000000001288304Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:06.347{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=723BF7335E7050B974B62DA784EEEB2D,SHA256=022419A88D9D9548049C9EFDB11AD99840D87DD313CFD4594499E3BF0E83A1FD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382296Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:06.316{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-2080-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382295Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:06.291{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-1749-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382294Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:06.253{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-1533-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382293Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:06.230{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-1251-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382292Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:06.191{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-1081-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382291Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:06.168{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-59779-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382290Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:06.131{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-59452-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382289Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:06.096{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-59020-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382288Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:06.077{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51315-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001382287Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:06.051{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-58933-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382286Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:06.019{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-58849-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382285Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:05.996{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-58659-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382284Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:05.972{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-58376-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382283Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:05.937{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-58220-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382282Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:05.913{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-57990-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382281Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:05.891{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-57843-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382280Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:05.868{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-57627-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382279Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:05.841{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-57314-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382278Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:05.812{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-57120-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382277Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:05.778{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-56980-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382276Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:05.739{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-56867-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382275Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:05.716{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-56711-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382274Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:05.693{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-56522-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382273Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:05.669{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-56216-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382272Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:05.632{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-56070-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382271Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:05.609{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-55921-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382270Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:05.586{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-55784-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382269Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:05.563{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-55651-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382268Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:05.541{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-55516-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382267Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:05.518{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-55378-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382266Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:05.495{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-55221-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382265Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:05.472{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-54969-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382264Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:05.434{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-54791-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001288309Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:04.174{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-46409-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288308Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:03.079{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-40551-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288307Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:07.363{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B7FDBF57D7070A4046CDC1397CFD975,SHA256=029CDFBDE5D61C99F5F5E8C0999ED4E9BEEA2E5D1C3E62267789AF6B1101FFFA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382298Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:06.340{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-2256-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001382297Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:07.000{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48C39DA4D5524B720F029DCEB438D90B,SHA256=3ECC50E1CA3C03BB6CF605C30EC5DABADDB0F758F22D6A8EB8065E7FA61B882C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288312Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:05.282{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-51973-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288311Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:08.379{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89795342C77BB465B0102AD24B9C7244,SHA256=10431E1AC95FC6635D41A065A8F1936D769F63ABCB19397D39DD81FB450D9EF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382299Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:08.014{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B97AEB0AC86D5034B2FC5D436E744AA0,SHA256=0319A3AD40427DD003C70F94CC96166454F928FE31023996022F57C954D4FE45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288310Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:08.019{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9E2C3722326F385334C2914D16475E52,SHA256=F6AB8E631D8D7A39109EF9DA95021AB34922DC2742BED72923996F802E059828,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288315Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:06.405{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-58102-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288314Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:09.394{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=684993B5A9598D79565CD12501EAAC7C,SHA256=563FB62538F9D187545102FDEA729B3B67BCE64758DC98C3095987F7EC27E02E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382300Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:09.035{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5659187DF64D981FFEBAF271F5027485,SHA256=1D71D0996E9643DE14BEEBD5BECECDEA10B2FA89FDA26E626133773969FC906D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288313Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:09.207{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BCF6034375FF65437EFC0B7FBFD7631B,SHA256=49FAC612D9A6CA4D61717A06F6EB7FE16F2315C5509E6639CCA18D1DB8123874,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288316Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:10.410{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA9371B052FBD54701ABA35E39555322,SHA256=A9AA7D3DA2C0E158DDA5F339AC34CD592A508D6F86C15C4F3B351D9BB7A6518E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001382319Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:10.854{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DBB6-6152-3628-00000000FD01}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382318Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:10.854{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382317Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:10.854{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382316Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:10.854{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382315Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:10.854{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382314Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:10.854{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-DBB6-6152-3628-00000000FD01}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001382313Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:10.854{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DBB6-6152-3628-00000000FD01}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001382312Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:10.855{5EBD8912-DBB6-6152-3628-00000000FD01}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001382311Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:10.754{5EBD8912-8CC0-6151-1100-00000000FD01}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=704319B0958E93B5971E54FF04683633,SHA256=31518FEE85CFF2D3FDD98ACBB7A873E5FB16452C6E3E52AB87C601B894C8E78B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001382310Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:10.386{5EBD8912-DBB6-6152-3528-00000000FD01}30326520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382309Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:10.171{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DBB6-6152-3528-00000000FD01}3032C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382308Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:10.171{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382307Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:10.171{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382306Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:10.171{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-DBB6-6152-3528-00000000FD01}3032C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001382305Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:10.171{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382304Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:10.171{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382303Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:10.171{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DBB6-6152-3528-00000000FD01}3032C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001382302Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:10.171{5EBD8912-DBB6-6152-3528-00000000FD01}3032C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001382301Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:10.054{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9AB40A4F6A49A2C99998B355DAA1B33,SHA256=4761AF58C2A6A6E0970ABF3D3EED98726261F6A6F4BAE37A9970794B85E538DF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288332Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:08.449{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61576-false10.0.1.12-8000- 10341000x80000000000000001288331Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:11.551{69CF5F33-DBB7-6152-2CA1-00000000FD01}2841356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001288330Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:11.441{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44C6E5ADC056AA5BF1973A4DB1C9AB1A,SHA256=22689F5BBCF65CFBF458D18528F598C2D4F8133D46E65F6BB4D718F963AA4803,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382323Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:11.209{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51316-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001382322Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:11.186{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7702B994462A977DD5D7AF070CF3E14D,SHA256=1C05B82DAC4E5D3FEA560E8F54580BA329C782A4A74921421BF1AE7156DB4F2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382321Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:11.186{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9557722ADC4B29766404A4525E80AB2D,SHA256=A200C0EA0F9B06817B1A36693A8102FE4973D41395F26600978710A5F03B7657,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382320Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:11.070{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F0F566F3CACF5A688F4AC3A8D4E4BDA,SHA256=3B70DBC8357265ADAE4B3E6A440F0975B3D92DC88547EEF2EF64600F2D47B7DB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001288329Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:11.379{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DBB7-6152-2CA1-00000000FD01}284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288328Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:11.379{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288327Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:11.379{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288326Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:11.379{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288325Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:11.379{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288324Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:11.379{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288323Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:11.379{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288322Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:11.379{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-DBB7-6152-2CA1-00000000FD01}284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001288321Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:11.379{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288320Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:11.379{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288319Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:11.379{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288318Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:11.379{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DBB7-6152-2CA1-00000000FD01}284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001288317Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:11.364{69CF5F33-DBB7-6152-2CA1-00000000FD01}284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001288361Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:12.707{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DBB8-6152-2EA1-00000000FD01}3012C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288360Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:12.707{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288359Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:12.707{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288358Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:12.707{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288357Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:12.707{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288356Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:12.707{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288355Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:12.707{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288354Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:12.707{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288353Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:12.707{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288352Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:12.694{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-DBB8-6152-2EA1-00000000FD01}3012C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001288351Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:12.694{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288350Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:12.694{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DBB8-6152-2EA1-00000000FD01}3012C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001288349Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:12.677{69CF5F33-DBB8-6152-2EA1-00000000FD01}3012C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001288348Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:12.660{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=665F25074ED6F66D07FC1CEA940D450C,SHA256=55DBE35C18A8C2A4B58B04308CBB89E176B143D2E4BD6AD8516A89B2B7FD1BBB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001382332Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:12.869{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DBB8-6152-3728-00000000FD01}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382331Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:12.869{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382330Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:12.869{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382329Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:12.869{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382328Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:12.869{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382327Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:12.869{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-DBB8-6152-3728-00000000FD01}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001382326Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:12.869{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DBB8-6152-3728-00000000FD01}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001382325Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:12.870{5EBD8912-DBB8-6152-3728-00000000FD01}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001382324Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:12.085{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=368736E8D88A418F1494159826E27A81,SHA256=D34585D2F91B20570B914747E3F22E6123725C716531001B413B9D628F1CDDCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288347Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:12.410{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5E50BB815E2A9A806690C78B5DDAB436,SHA256=E8D4CE8AFDEC87C16845EC6B8070AD326EBBD8B02DE45417DFE90AB33C6F0A93,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001288346Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:12.269{69CF5F33-DBB8-6152-2DA1-00000000FD01}9121120C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288345Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:12.066{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DBB8-6152-2DA1-00000000FD01}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288344Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:12.066{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288343Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:12.066{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288342Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:12.066{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288341Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:12.066{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288340Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:12.066{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288339Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:12.066{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288338Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:12.066{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288337Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:12.066{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288336Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:12.066{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288335Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:12.066{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-DBB8-6152-2DA1-00000000FD01}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001288334Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:12.066{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DBB8-6152-2DA1-00000000FD01}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001288333Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:12.051{69CF5F33-DBB8-6152-2DA1-00000000FD01}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001288377Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:13.879{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=02BCCA01FB4C54F9DC21120B7FA7492B,SHA256=EA107D318F786F2C8E2812B8D9440F4AFFE16B7E955592AD97F02C8D84C2275E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288376Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:13.816{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7AE2F95485019051A31B56FE01E7B50,SHA256=805A33EAE5A8275024809A936B9015EF164D01727DB25A81B68208C161BEEB69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382343Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:13.900{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7702B994462A977DD5D7AF070CF3E14D,SHA256=1C05B82DAC4E5D3FEA560E8F54580BA329C782A4A74921421BF1AE7156DB4F2A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001382342Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:13.553{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DBB9-6152-3828-00000000FD01}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382341Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:13.553{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382340Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:13.553{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382339Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:13.553{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382338Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:13.553{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382337Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:13.553{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-DBB9-6152-3828-00000000FD01}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001382336Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:13.553{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DBB9-6152-3828-00000000FD01}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001382335Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:13.554{5EBD8912-DBB9-6152-3828-00000000FD01}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001382334Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:13.100{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0B31CCFD072A79B66601FBFFD8B48FF,SHA256=BD3A8D94EA0E5F272D1C8F2CFE6E87F25674819305C9C5A9EACEE72B341A34C1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001288375Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:13.597{69CF5F33-DBB9-6152-2FA1-00000000FD01}12321572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288374Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:13.394{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DBB9-6152-2FA1-00000000FD01}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288373Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:13.394{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288372Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:13.394{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288371Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:13.394{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288370Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:13.394{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288369Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:13.394{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288368Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:13.394{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288367Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:13.394{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288366Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:13.394{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288365Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:13.394{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288364Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:13.394{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-DBB9-6152-2FA1-00000000FD01}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001288363Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:13.394{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DBB9-6152-2FA1-00000000FD01}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001288362Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:13.379{69CF5F33-DBB9-6152-2FA1-00000000FD01}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001382333Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:13.054{5EBD8912-DBB8-6152-3728-00000000FD01}68165572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288405Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:14.957{69CF5F33-DBBA-6152-31A1-00000000FD01}3636744C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001382344Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:14.115{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABBA1A877C7B790EA9832E8CAF0E752F,SHA256=C44AD738AD930F587B7B3A258285BF43E4DB68CBD5A23EDB9EC195489D1F4DEC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001288404Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:14.769{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DBBA-6152-31A1-00000000FD01}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288403Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:14.769{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288402Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:14.769{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288401Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:14.769{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288400Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:14.769{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288399Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:14.769{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288398Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:14.769{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288397Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:14.769{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288396Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:14.769{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288395Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:14.769{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288394Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:14.769{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-DBBA-6152-31A1-00000000FD01}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001288393Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:14.769{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DBBA-6152-31A1-00000000FD01}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001288392Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:14.755{69CF5F33-DBBA-6152-31A1-00000000FD01}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001288391Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:14.082{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DBBA-6152-30A1-00000000FD01}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288390Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:14.082{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288389Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:14.082{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288388Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:14.082{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288387Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:14.082{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288386Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:14.082{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288385Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:14.082{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288384Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:14.082{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288383Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:14.082{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288382Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:14.082{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288381Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:14.082{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-DBBA-6152-30A1-00000000FD01}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001288380Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:14.082{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DBBA-6152-30A1-00000000FD01}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001288379Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:14.067{69CF5F33-DBBA-6152-30A1-00000000FD01}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001288378Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:10.667{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-5347-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288409Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:15.957{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3F675459689C4C58C4801DBEFA01A37,SHA256=7FBBE5F659C1C2A1DD768E671F9234C483F0EAAABC86D35B826559E2504FBAB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382345Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:15.132{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A1F39481E5FFE98A4DAC69F9E206AEC,SHA256=05359054261E663D3839454679C1A6FE02BA3CAAD2432BBEA3A747C5D96F9C8D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288408Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:11.825{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-25733-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288407Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:15.066{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A0BA0CFB38DF592C0C78E21A2B15E041,SHA256=EC5237B4CF0CEEF9E8761F66D20162D9B17EBCE15331F74DBFAD6739BD0AEF03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288406Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:15.050{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E22F7D28294F4C458636802AD8A2F1D6,SHA256=D4943B975528C185A986D6554AF178E23446A57A2677FE358446412232657792,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001382354Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:16.850{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DBBC-6152-3928-00000000FD01}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382353Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:16.850{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382352Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:16.850{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382351Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:16.850{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382350Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:16.850{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382349Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:16.850{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-DBBC-6152-3928-00000000FD01}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001382348Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:16.850{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DBBC-6152-3928-00000000FD01}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001382347Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:16.850{5EBD8912-DBBC-6152-3928-00000000FD01}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001382346Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:16.182{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA2DA9C13E6652689E610CE8BC020168,SHA256=72BE4A3FA3CF271FDF9DBCAC5006BA860A46B042C6C3811D3D7DE5F4A31E5354,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288410Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:13.235{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-32899-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288412Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:17.113{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79C3977A196E28446C190B23EF4C275D,SHA256=757BC25441AD408D7194A95A3D71FCDED5312E8F73C69846A338A2BF4A9210CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382366Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:17.865{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=98028365CF967C171B8A7D934D1D840D,SHA256=B272711D1AB2ADCE9D04768E2D861D1B941A9EE85ED4DC271D9D09471AFD9540,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001382365Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:17.711{5EBD8912-DBBD-6152-3A28-00000000FD01}40847104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382364Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:17.512{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DBBD-6152-3A28-00000000FD01}4084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382363Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:17.512{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382362Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:17.512{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382361Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:17.512{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382360Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:17.512{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382359Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:17.512{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-DBBD-6152-3A28-00000000FD01}4084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001382358Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:17.512{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DBBD-6152-3A28-00000000FD01}4084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001382357Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:17.512{5EBD8912-DBBD-6152-3A28-00000000FD01}4084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001382356Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:17.196{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADDA3FEB81C8D79CE78CB5BDD2CBD9C6,SHA256=DF6A640E8FCCF0163A9FB3A352F92CDAB37EB4C3233EEFBC850CD948404B3925,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001382355Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:17.065{5EBD8912-DBBC-6152-3928-00000000FD01}63606204C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001288411Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:17.082{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F82B554940A22B52D68D85A01EAAECC,SHA256=30F499E35BF01B72849FEC896DA3E11F48798C0BF88EEDB85E660269C8B5D690,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288416Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:14.449{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61577-false10.0.1.12-8000- 354300x80000000000000001288415Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:14.361{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-38348-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288414Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:18.362{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=45AD3AC0D28911A523301314E40BD525,SHA256=26FFA6B7A756866C9BE73256EDFE9DC3DE21B3D452D27B255C852A12B2E6C28B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288413Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:18.331{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0ED7BD994E6E5E4AC010135B0B9A9C8,SHA256=9C24BD86E4F8B7602FAF0CDFE5D9C77FDAF55A7B4CCDB6F0134324AF340A6A04,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001382399Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:18.280{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382398Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:18.280{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382397Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:18.280{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382396Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:18.280{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382395Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:18.280{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382394Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:18.280{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382393Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:18.280{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382392Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:18.280{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382391Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:18.280{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382390Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:18.280{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382389Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:18.280{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382388Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:18.280{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382387Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:18.280{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382386Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:18.280{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382385Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:18.280{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382384Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:18.280{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382383Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:18.280{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382382Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:18.280{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382381Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:18.280{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382380Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:18.280{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382379Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:18.280{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382378Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:18.280{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382377Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:18.280{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382376Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:18.280{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382375Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:18.280{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382374Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:18.280{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382373Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:18.280{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382372Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:18.280{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382371Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:18.280{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382370Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:18.280{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382369Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:18.280{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001382368Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:18.249{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=451FDB1496776E3F12E2F03E0B6E896A,SHA256=3E68BF7C813C911B4E53C87FF86C0D438DD30CBE894001F5AD8879ADE6FFB8F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382367Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:17.242{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51317-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001288419Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:19.628{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=85D29AF99ED6C30ED13A63A4DB665061,SHA256=B297AAB51CD37183A1164BFAEE54715743D4FAA004502F8B15B8BCA545273A2D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288418Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:15.475{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-44035-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288417Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:19.487{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4872CF6D25BDE2765243D648E07C8C8F,SHA256=B2BDEBB9DE2F37EDC0A5C6DF0178C18B507A45E1010AC2EAA1197F45AE4ABC5B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382402Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:18.851{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-20650-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382401Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:18.829{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-20473-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001382400Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:19.379{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16523B681D3363C6E150B7210C292DC0,SHA256=3576FABF2F98C3D1FC7BD01DED3BCD837C53423CEA8FB85D6AF31A34B1B668F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288422Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:20.690{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FC885B7921D895A53DB1CD6DFBE9485D,SHA256=3FE04D026AB88D95C911EB6C9761507B3590FB120378D0A90F537DE276AE3A8A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288421Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:16.882{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-50921-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288420Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:20.503{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=918E17A6CCE038AE80C8ECBD90FA4FA6,SHA256=F79913374FE7CEA18B648C04E1647381715BF319C9AC9B1E7344ADFDFF061F22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382412Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:20.396{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75956BA4246745C394D8ED6D869BCA9A,SHA256=D44E3A11881BE749F8C760838F908A853C69CC8014A7581C69DBD8755AFDBFBF,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001382411Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:09:20.225{5EBD8912-8CC0-6151-1000-00000000FD01}440C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b448-0x85915b17) 10341000x80000000000000001382410Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:20.163{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DBC0-6152-3B28-00000000FD01}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382409Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:20.147{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382408Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:20.147{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382407Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:20.147{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-DBC0-6152-3B28-00000000FD01}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001382406Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:20.147{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382405Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:20.147{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382404Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:20.147{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DBC0-6152-3B28-00000000FD01}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001382403Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:20.148{5EBD8912-DBC0-6152-3B28-00000000FD01}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001382414Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:21.410{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06D3E305AC25F57086DDACA4D5C4019F,SHA256=428F6363DB21C24E95B932F70213CECEA54EC4B9E1CE867D36E94343663CB016,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288425Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:21.909{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8278A45A7904B9CE33F70078779F2348,SHA256=9B983BC48C296D8D9E0948C919704C3B615DE49A4D658C704B6066CD057A65E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288424Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:18.000{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-56671-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288423Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:21.518{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85FE74672EA3E37896F6E7B1B302DB1F,SHA256=B9854C8D62BD423C72DD41F7718046B5C2A6BC351B07B68429D66D2654E05A63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382413Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:21.163{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=10DB5A59B68B1A48990AD7401E75D925,SHA256=795E17D1138BF45928A7A4E4528D62759B8768B86742EFD1D218727601903588,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382415Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:22.425{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D2AC0EFEF6011D4120B89DC6285451F,SHA256=BC94C4871C8C470343FC9FEC1961C54A48EF384DF9230999DADC165468578E25,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288441Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:19.588{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61578-false10.0.1.12-8000- 354300x80000000000000001288440Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:19.093{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-3442-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001288439Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:22.565{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DBC2-6152-32A1-00000000FD01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288438Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:22.565{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288437Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:22.565{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288436Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:22.565{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288435Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:22.565{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288434Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:22.565{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288433Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:22.565{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288432Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:22.565{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288431Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:22.565{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288430Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:22.565{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288429Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:22.565{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-DBC2-6152-32A1-00000000FD01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001288428Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:22.565{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DBC2-6152-32A1-00000000FD01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001288427Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:22.550{69CF5F33-DBC2-6152-32A1-00000000FD01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001288426Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:22.534{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0892B9C3F0D586037C22F8CA5F4B85DD,SHA256=3228EA4D89D4B27AC6EC1A87DEA9D0312FDB114D50D256F4B92B4B07CEA1071F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288444Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:20.297{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-9945-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288443Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:23.534{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40020CE6D38D348A1F86869622C18735,SHA256=3B3382D3CCEE66B09ED14ADC42CB2A8B6EE5624BC799555A22C0812672A985C0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382417Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:23.254{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51318-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001382416Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:23.425{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC2CC91D40A5E728DD2DB809E682C0B7,SHA256=E94E8A645BCFFEEA5609673A78E859346A93605E718A63B5A004536702FE3261,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288442Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:23.034{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=86D55DDE3A9E3B185DA7D7DE79945971,SHA256=F8B145F507D0162132FA79113A559735C7F3A9D9B6AA7D7BD13A8421D671DEBA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288447Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:21.405{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-16012-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288446Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:24.550{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B11C7A913F4B7AEFFCDFED84720C4071,SHA256=C802425EF3FAB04C2F424B2CEFF475A3E8485CC8084CEA4793FF81203692042C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382418Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:24.425{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3704618BF07FD3B40EAADEA3B927093,SHA256=10D1916FA2AD0EC026D8A0100E83DF225C5B8A50918D140474067983638D347D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288445Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:24.112{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C3805E9EC37C22EC8AD3BB2FC2EA2789,SHA256=0057C9A968E7DC51B8A08E2E6CC7845DCDCD3A2562F69919D8D2DF82DCE1F160,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288449Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:25.565{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4BAD04C434CAF28979813CD1BA20093,SHA256=A0051B6450AAAC2ACC852C905110F0C177D3A3DFE2E505A9E0E7279F46584091,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382419Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:25.426{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01903BF7370E47D5C9295845E0C115F9,SHA256=3E9166B51083A86CBB04EDEFCF5DB96A8E263944EF93672124631B50D6989F59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288448Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:25.393{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A39A42B46AF43A5BB148DAF7C1C2A1D5,SHA256=2476BB35E0D7109B90D2A01B9335155A624C74041323D8A3AF5424CD59C940A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288452Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:26.721{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B3D05C494A3B3DF9949A5CE06111F6B7,SHA256=7D452EE8ABFC8CA7181F9B62B679315DEDCE83E3EE6B7794C17A8EC1AD34FFE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288451Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:26.581{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF8223B07A8A6675DA45335A5CFC9EF1,SHA256=5C68130B085DBA29AFD463E1BC33DAD80979537EA58BB609D95DE13F3C73E236,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382420Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:26.447{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10884A6DE177699A41DC97F9DB532E5D,SHA256=BABF3CC0B64F752E4D74CC348F2740ECFBAC32387B2C142DF5B1FF044581DD56,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288450Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:22.588{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-22012-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288454Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:27.815{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C58A482686343A0EAB80F289094BC5EC,SHA256=C33928E5559EFEB6551D68238B3913D26447C1BFDCD9CA100C79F30EA519BEC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382421Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:27.462{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEBD5317E66AA56F023B9BC1B2552C3A,SHA256=665B4215D6D069CCE4BF200766EDAE3E9B164C5046ACDB404366D1E68BB354A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288453Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:23.787{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-27846-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288457Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:28.987{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD6D2A8E79CA0A1CF6C66AFD87390A65,SHA256=46D0E76F70285CEF306DEC3B0FCB2AE65BDA07CE7BC8F8CD4ED2ADC70CCC4086,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382422Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:28.476{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4911509B114E344633FA54ACA7E9B5D,SHA256=C801CAC6070FD6FBD176BF72CE3276CB2F57F8ABB997929CB91D64065F46D946,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288456Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:25.093{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-34707-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288455Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:28.128{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=442C6DF0A02E3C7026ED043707928AE1,SHA256=1AE9E0AF8B677C3E45E6E75D4688649C3820CE1A9673A379820778A6F8C7AD53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288460Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:29.987{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=035F53CC1749477F980861BA0C7BA8BD,SHA256=71A0612752E36DC2096A711AE4450A1407CDE7DCA47238B5326D6B8DDF8CF4CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382425Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:29.491{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3CF8CF0FF63984447258425E6F9183B,SHA256=02FEF2B469A6043F5B36FDE2F7E634388D85E4BE27395ED5121908410BD327DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288459Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:29.206{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=869834068B5C9B0DC2047363005D9F53,SHA256=6CB7D5FFAD5633DDF158B4180194E164FCC8D772011E9114F944A03FDEDDB882,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288458Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:25.448{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61579-false10.0.1.12-8000- 11241100x80000000000000001382424Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:29.460{5EBD8912-CDB7-6152-8426-00000000FD01}4172C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\SiteSecurityServiceState.txt2021-09-27 08:10:19.295 23542300x80000000000000001382423Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:29.460{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\SiteSecurityServiceState.txtMD5=CA9A52CE58CD1D0480F0FC69B2A27D38,SHA256=43AA66F477F92DAEFF78EFDAD1C0A443B0BA889B5CDADEFB3B4438FD57E2DF38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382427Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:30.506{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4DD86EC93DE92862CDA0D6141C77AD0,SHA256=884A1BEFD9B4DE863210D29350BCFD8791DE718517D5A9713173CA6365AA9816,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288462Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:26.499{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-41943-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288461Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:30.331{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EAED89A7B8E3E5CE91D41C74DB9B85B3,SHA256=6A832754DC33F1CC5B9C5024ECFD3560B2AAE16A7EFFE649D9111E99D35FCB6B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382426Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:29.069{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51319-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001382428Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:31.521{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C360A341B755F78E293CB902B7A7149,SHA256=316FEE16A56DC0D7A9062881344D94BB1C9BECA23DE9DCBDA24EE0EF625250B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288465Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:31.643{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DA21EF46DD9F3D4F044167DF71B2D840,SHA256=F8214D3488319E810774FCD2523AC02944B5FA8E9D6F1110FB9845C4F382F1B6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288464Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:27.592{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-47757-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288463Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:31.003{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88762F88A5A9835CDD0582BD359ED2B7,SHA256=C3F2000754BDDA64E533C9609B8F2D0F9B80AC2B164685CDC62816CB9DEA567A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382429Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:32.542{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01BE6D8B41DDED12077E59C975F2844C,SHA256=9C1907F3CD624A6BF2F72959EE9A386DBA8194DE087605676674D87140DAE867,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288468Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:32.846{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5643FE2CEBE545DB418C0B4919D68CFC,SHA256=F336C60330AC953E15C69A784B41728477311353E70597C36770E7A8ED58273D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288467Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:28.758{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-53607-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288466Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:32.221{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D63353C67C1B4B41DAD6058507A65929,SHA256=62CA596BADCC834553313859C54777E2A4C4B71AE3C72269F9B471B56B672C7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382430Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:33.556{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2801653BFC904D284BCFD93347A5292,SHA256=69F7518CC91D7BD4AFE4AE3BB4A4456EC53E0182D6E0F2FB08885F25B8B98010,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288471Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:33.924{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DDF8A8C2CCAEF9D76AD45AEC0D0BE4D1,SHA256=50F1B924E33B7CB8543411ED9F2DF5E1D63C0C9ADAB2F2DE877308F34756DC0F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288470Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:30.026{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-59875-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288469Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:33.253{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3320DF6DB1C27031739B6028007F6A2F,SHA256=0569DBF5262805D3498CB58531AD530A1586542991FCD7CCAE5C25DF8471AB1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382431Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:34.571{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2C6D3F614D7A9D3D5EDFFE35B1881F3,SHA256=D106E10924AE35CB90BCFC17275EDCE4859F412D62050E8F94174EF740001328,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288473Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:30.588{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61580-false10.0.1.12-8000- 23542300x80000000000000001288472Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:34.268{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3515A08B20FF1D1A9F7689D4112A3CDF,SHA256=C07A858DF50CD709746670403B2127D409FEC0E727B3D0CAA50FFF9D4AFD1B7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382433Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:35.572{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6291A605C478F567AB5E13E7E4C13B42,SHA256=9BCC378C207AADB1A45E7C2A4E45C3A942DFA6A4BAEB8673B219428744C7D8CB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288477Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:32.308{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-12925-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288476Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:31.219{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-7266-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288475Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:35.284{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C8CFFAA339A31119AF0F09B7B162114,SHA256=F86D4082E952FCABE63913A751221DB81F2CED0B94A09D3CA3CCC03660E602E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382432Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:34.180{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51320-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001288474Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:35.049{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=020F640634DB972A04CD61AB85312143,SHA256=75CAAD7191CB34D996B9E80543887E18FA5569B53D7CAD2437370C13AF015845,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382434Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:36.617{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54243A16E5A32CBED7953F1FA7130521,SHA256=B9767898CA9CACA7335CDBE31691EE8C608990C001137340070F8CF1BC13A09F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288480Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:33.423{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-18705-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288479Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:36.378{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5839B97D51DEB27810D7BCB2C823355C,SHA256=9FE288A580E14AAF8B7683A3D00EF94171B9FE497C720062F0A55B22F3CF21B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288478Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:36.128{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0EFEFF3828C1DEC44BBAA8D210836D65,SHA256=03056A590CB8A4B81599301C26F8E57AC78E68404045B438D3764D11338C60B0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288483Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:34.538{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-24436-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288482Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:37.471{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34E536D6188A679EF6AB0F75DBC110DC,SHA256=B9743B587010F0B4F9FF0FA48E94BAB3F0035BB86B547A8B09285C199F117507,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382435Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:37.619{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=402D4B8735E16E358DF6EEF9373938AB,SHA256=B1E0E2E1A975DC677ABCE4F9A233E97B1E46B1CBC1B80697188A082E72CF7522,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288481Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:37.253{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5AFC8D044925AF6EFFBBD07E6903C87C,SHA256=01A0918398E120EFF0173E3D769B5B9F427F93799C2199133AC47B2C9A34C40A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288486Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:35.625{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-30122-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288485Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:38.677{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3D7090C215EB1E319D711CD135A1D1C,SHA256=EAB9699D4B1800558D0B2545F2468C4FFCDF5C6174576A24167FB76D8E22F77C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382436Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:38.619{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E014677A6871C4ECB76396CE83AC760E,SHA256=F43F2858633D060E7C42A205B1ADB5EABB504E3CEC667C659AEA79703A9C32DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288484Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:38.334{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D0FF3BE40EDFE327EB8EABC4CDFF32D9,SHA256=604078B0F3641FD8A4E63B43731F02FC1549B5219437F5A59C493FD8AEE9D9C6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288490Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:36.709{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-35974-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288489Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:36.357{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61581-false10.0.1.12-8000- 23542300x80000000000000001288488Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:39.677{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=652472C49ACF76C85193FD535DFD8C8F,SHA256=6C42A72432C8E60E7C79BE7E082381173465E71A419EDBA565EBE2E2918B085A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382437Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:39.655{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CD83C0913E4FF7EEEA228C15CF40A02,SHA256=98EFFC41F67907E95D4D47FE9B21EC4F75F235CF2A0879BB6130C6D9D09F9CE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288487Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:39.584{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2218BA22D8EFB3A2D80EB2E12D721F80,SHA256=9D16362B442B446E4F535F5935CF0A87662F4BC3E0D7C145EDED6F2DA58F2622,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288492Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:40.709{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7BDAF90C62CAF0E7801AE1A4547AB466,SHA256=BE379E91FFE53B5E33E68E4702839EAA87DF83326434BBB406A83B9CE3E14673,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288491Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:40.693{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F13CA0194B7F9F1833CA44AF2DF636BF,SHA256=FDE23091C329145CA230E371B0368A4759946C4471F3B02C05F0092605AD1459,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382439Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:40.670{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2B7D763F33D7DC89DD4E4D55DAEFB51,SHA256=90F666223BAC560354D240B9B1D602FC1479C47DFCDCC74766015A8F43B7A208,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382438Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:40.079{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51321-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001288495Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:37.943{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-42044-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288494Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:41.787{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D9496574D1E506205A33BA909DB51D48,SHA256=E164025688869DB71BCEB74AE1805DD6F9EE60D92F77C9D2B7789A7D1ED4C244,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288493Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:41.709{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AA44A4E18520F254C6D1F9116141B8C,SHA256=CFD1FE226564210A586D67AF27388C6DA6EF2F4D87F8C806A0472B7C9802CE4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382442Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:41.685{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382441Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:41.685{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02554457391CEDFF30393D7124F20D52,SHA256=42E865AF2C33CA963D92AB1360195934495008498B96D39AC5980364B8F77129,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382440Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:41.685{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=3344412C446955F83005FE9152301580,SHA256=53C287D13DC0BFD1B0D5B4D9C4BA8AC76EA7E4AE75E8783FB3FE619ABB6AF4C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288498Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:42.927{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BC91D04F18F6732F40E833914AF98CB,SHA256=0D75A9B441867EF67D8B4388CD2949A92463A703AE4FF9AC5882487D68977D6E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288497Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:39.082{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-47261-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001382443Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:42.716{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5988C04059470A6CAACE53A0606BF34,SHA256=057752CC5A0F9C4D063FB04F83832C70925360163C20A4B51E60E065C088FFB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288496Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:42.881{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AD034D4E0B92B55E5CA2ABF1FDAF2F6C,SHA256=2FF5129F1D53DD652F562D58541D7B7CCDC6F0C6A40AEFA8832BDA92B40F5CC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288500Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:43.959{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBD477D740847E13D866669BB4AEADDA,SHA256=BD2FB03C0245AF939E7D01328C537FF995529130760F36A93AA94363C3FC7FB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382448Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:43.734{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EE5F6A0A300368C5042F2EC7B9CE2F1,SHA256=7FD0768D32C74AA81642ABACBE923FF455F72287D70837BEEBE18FA89FDC982E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288499Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:40.161{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-52939-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001382447Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:42.993{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local51322-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001382446Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:42.993{5EBD8912-8CD0-6151-2800-00000000FD01}2200C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local51322-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 23542300x80000000000000001382445Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:43.016{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D5D50FD02DBC4CB20E165EF934C251C3,SHA256=D8AD70218DC4F9B0A1769B4061EBFF29952737A4F36A9C56730ABDD0E9FC4A11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382444Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:43.016{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5E083448790CF9B008461FB967A21D35,SHA256=99D26DFDD7A390F305D566E28A0147EBD7A43260AC8AB125E39251FB496DF939,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288505Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:44.990{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28D365937EE30944BE4E4949691E65A7,SHA256=2AA40D0664383C622AE48AF66A3CC00CCFE6CA339F0EB338AF7823959D8970C8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288504Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:41.357{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61582-false10.0.1.12-8000- 354300x80000000000000001288503Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:41.279{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-58695-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001382449Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:44.752{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7631A9BC75570E3A0F9835252D82005F,SHA256=E24BB94FA077C094741C8D709F3B0F5D0F69829EBC38AC4EF4AC684068F0C551,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288502Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:44.240{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=24D0EE467A3A45E743DEDEBA8794A6FA,SHA256=8906BD324ACBD702E94E0B75453AFD6BFCE006FFBA8E5C7389BB14A6DA9D8BB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288501Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:44.021{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=68F198DE22BE15384D61AD670599C0BD,SHA256=BFA02BD3A5C6BCE426797304F5624AC1553A9AA6B0619A04313F670BED2EE008,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382450Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:45.814{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0E197A32707901CBFA0581E767D7B06,SHA256=586B5D22CC2F8DEEC7D14D83C2299278D0AE34BB43CD46061F6BCD0BD4CCFA2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288506Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:45.099{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8BABCDBDF0464D9339DBBC551D3D029A,SHA256=749C85588686D890B7595A94DBC99D6C65EE2D78E1A555F6FA6F74C248E8D1AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382452Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:46.851{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8534FC08A09B133EAC8DDAFD6280D2C7,SHA256=9782288355E2C869D227CEFF36524DBF8C7E7F571A718C287045A8CECF853F1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288510Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:46.974{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288509Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:42.394{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-5509-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288508Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:46.349{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F3F1DC202AE8A86011AA87D428C586EA,SHA256=CFBBAE261F25162DBC799ACE1B45B415E11A47579B208F74BBEBFE9BC4F8AD9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288507Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:46.005{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAFC11C26074605C028B3E8CEA95A5A6,SHA256=1BEADD1B50E8BD139B982F4F4A26FB4C2F060A985CA3FF4CF5F67875EFDC4E30,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382451Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:45.191{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51323-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001382454Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:47.866{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30E6479A88D93456D7244BC515914858,SHA256=62638FE9F59FB5CF6E8065A5F6F5ED5FE01CFEC795E10F704F17FA21193594DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382453Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:47.513{5EBD8912-8CD0-6151-3000-00000000FD01}1956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288512Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:47.521{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=380B0409068D953A0CA1A52AEACEC3F7,SHA256=BFB46AF5D6B4D40680ED970246736AF92B26E931C4299B013F0E51EEAAA42465,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288511Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:47.021{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C50ACA56786A7AE7CCABB87225E35E8A,SHA256=0D583FBD1FC7372706EC34B7EA1F6BB0AF140BD5BD86925FC532E3E559672B46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382455Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:48.897{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE06CA10B90A51E8443463CAC074B6B4,SHA256=CDA40D6F6AC9B6A94CF9F005AF417CD5B2C682B8F9FC749035C3322A709FF93E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288517Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:48.615{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=409F24DA58DE414F7F783B88791ADF03,SHA256=C02B808768313BFEF3F721E251BAAF0186CB19A50997AC60CD09A5B8A3C7D2AD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288516Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:44.735{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-17493-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288515Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:44.596{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com56539-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288514Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:43.567{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-11282-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288513Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:48.037{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9079B19EAAFE4FD578430EE2ADF8F5B1,SHA256=50D1BFC5C43093B51C08D51FF72267954A951544172FB45E374AABB2A6738383,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382457Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:49.930{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4CE94E5D395108F1323A3EFB0B76010,SHA256=E917D836A4ED31FDB81B25876435F6E4E4ED4715F07E516755346D2D4614F84B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288520Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:49.693{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=242AC52DC3846454E74582E4DB182AB3,SHA256=46FED8750DD0A51424F8F5441A62D244682BCCC40FECD8D0F37C97030C214617,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288519Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:49.255{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE97FE7AAB45F5ED444A7E8950D3FEFC,SHA256=CFF371C05A53334EEFF35183EBF66162221A1E000F6ED7D0867DB2C1FD04B38E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382456Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:48.490{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51324-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x80000000000000001288518Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:45.326{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61583-false10.0.1.12-8089- 23542300x80000000000000001382458Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:50.980{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B287D775E10FADD61AE416D7D458622E,SHA256=7A9C0E64142E0A0696FDBA531BAB3BBA0D64D3E56FD893E998BF2B4C4641247B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288523Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:50.787{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=94843D97C1213143658AB2748E22496D,SHA256=FFE9681B146C711FECFA7D5DF8A319109C764C414D743F08C7A08E4ED0A3B554,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288522Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:50.365{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5286825C608CCEC668C220E4F9A08E6,SHA256=5E09CB120F06E53E17C894EED26974DC86FABA8D3CD7EE308168330AD38B7CE3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288521Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:45.895{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-23561-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001382459Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:51.994{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A2DC77B5637991988B346C5EC8B0226,SHA256=D526F23A123F7DE49F75E678B41D7F8ADA49FF11A115459BEA1038ADF14E9DAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288529Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:51.886{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B8A4D84A2CDF9D78E93C2C519ACCA0EC,SHA256=C3605D91EF2FC5ECB229C0B4D0CB90FCFC62C17788901BC4E162D29804C24DDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288528Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:51.884{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-5710MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288527Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:51.365{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=907921632D54E1A194F021F816CB510D,SHA256=DEC1C8B501BF61E4AA1582C0D0B6A3C84EEC8F44FC6EA38FE5D40E2836F483C9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288526Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:48.069{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-34735-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288525Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:46.988{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-29286-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288524Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:46.373{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61584-false10.0.1.12-8000- 23542300x80000000000000001288532Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:52.898{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-5711MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288531Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:52.584{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7DEF8487D7452B77BD53355EB81D401,SHA256=C2AA8854AE94E8E2F0F4513EB3037C2885F37B84FE99548C0FD18124FF374739,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382460Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:51.172{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51325-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001288530Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:49.160{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-40344-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288534Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:53.819{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4F10B5A32936225B09757119CA967F4,SHA256=9008F88E8BF01D29F7C4ECA040A2D2AB6BAD39A9A448B650A1D886324CEB56E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382461Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:53.009{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7852573D1652B035069B75E5C1E910A2,SHA256=5DF5DBF9F0EF6573AFB77D1623A192BFCD459E73536A52959999EF784FBBEFE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288533Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:53.316{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4023DE59106C649B00EFD90F2A517FDD,SHA256=D2A0A25B2BB43DEC6AD1482BFAC4C371E9134A5E0C75129869C22A645CE7DACE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288537Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:54.835{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99606CE051DF761C718C4A33B87DECD7,SHA256=F6E67E049C85CFC5B4CAF9963641CE167ED2DAD3D7EF04EC2A897D5FE414A54E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288536Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:54.397{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EEB1CDC945DE3480152E150D04AFF3D0,SHA256=22455CB9ADDFF258F460E4F443709C98CF00879C660849C34600317884C864E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288535Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:50.343{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-46028-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001382463Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:54.896{5EBD8912-8CD0-6151-2F00-00000000FD01}2544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210927092018-1393MD5=418358CD28D1B50422280074BE968B1D,SHA256=C8286C1C0A91E4E2C2FF9D12E0FDD08F235EAD61265C1678C815B6AB5A1254BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382462Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:54.026{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59A6629A5251F4996F4225EF72661043,SHA256=39A9E6B70F43EB9EB19E0ACC8A82C2234990C70ADB6034358C45E645B965CD52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288540Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:55.835{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF28C8F900212AF83D5799B3A3C2932B,SHA256=5369F35DE9C4E2F644D51BC037E6D35B748782DD028492D6F249A95E9E2ADAEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382465Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:55.908{5EBD8912-8CD0-6151-2F00-00000000FD01}2544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210927092016-1394MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382464Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:55.076{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=802EE6B0663D5D3D91015A75B9570BCC,SHA256=DC04091E44DEFC4B075BD8765F1E01E89D742E52C2AC83BE1E560F6D97EB49BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288539Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:55.491{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A8664E1A42D6D2A7777CA64A5F4AFD6,SHA256=CA51710EDB83ADE46954D4B2F406F931A72267EC5CF84457DD6D944BCCB93391,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288538Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:51.689{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-53043-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288544Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:56.850{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E387225E9E7908FAEAEEDAFECFD9CB2E,SHA256=14170F375D11AB926EC256682200FC6F0F2790582BDCA3C74F49F3F49F41E39A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382466Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:56.144{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=626724E3A6F2849E778106D05FFA34DB,SHA256=3B0F156FA653AAF1739B0999E190A22FFE7AC1569F53E103D9E9A6BB776CDF3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288543Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:56.616{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=79143FB52B3C19B2414FC8D55CEC73F0,SHA256=8E3A46BFA05B037FF3F8B9E733C7055C38539328EF20D0EF6AB22521A9E5F2D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288542Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:52.769{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-58949-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288541Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:52.390{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61585-false10.0.1.12-8000- 23542300x80000000000000001288548Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:57.854{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AD3109CCF38D0E5F3B538D47228D057,SHA256=977E594702FACB5F35FB6FC90C2A91F8E8ABD872896F82604E6B7525FB3CAD3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382467Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:57.174{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E7D287E915212B3D7CDF8E9CF49CD7B,SHA256=3C9B1ED9E52894650606118ACF5B3E49464A651C9E42888CC2D0AFC0962723E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288547Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:57.698{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B354612BFD4B47001C61C64299066E41,SHA256=D7FF2B29301A3C696111323F85EBD3094D04429311D3CEF8A61542A7C701BEB7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288546Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:54.248{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-59126-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288545Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:53.877{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-5862-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288552Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:58.870{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=986178CD72CE864CEFA2D1925137E788,SHA256=821EA4283F01372872B875FA9EFC22310AD7B3F4EE46552BD8D9A69FB6C6CEBA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382470Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:57.117{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51326-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001382469Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:58.289{5EBD8912-8CBD-6151-0B00-00000000FD01}640368C:\Windows\system32\lsass.exe{5EBD8912-8CA0-6151-0100-00000000FD01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000001382468Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:58.205{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4317B62465F2EE34B733801DF633D3BF,SHA256=A979D699C450B73072C1C3BCBD320AEF00C9739DC2BC0CFE03E05DFF43A54403,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288551Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:55.454{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-7955-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288550Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:54.988{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-11643-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288549Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:54.287{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-59374-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288554Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:59.885{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C92A1A77DE67102E2C37662EA3884E1A,SHA256=5D9EFD8B030F21A5DB82622A2F173C1AC2CCB3AAE9A196CCA9ACFCDB23424AD8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382478Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:59.283{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local51327-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001382477Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:59.283{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local51327-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 10341000x80000000000000001382476Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:59.741{5EBD8912-8CC0-6151-1600-00000000FD01}12962680C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2E00-00000000FD01}2384C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382475Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:59.741{5EBD8912-8CC0-6151-1600-00000000FD01}12962680C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2E00-00000000FD01}2384C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001382474Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:59.541{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382473Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:59.324{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=090F2672D0F2BFE74336A371C3A086E3,SHA256=55CCDC793441A778081B06EC81315152DF43BFBAA02A6024963EA63F36CAE0D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382472Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:59.323{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D5D50FD02DBC4CB20E165EF934C251C3,SHA256=D8AD70218DC4F9B0A1769B4061EBFF29952737A4F36A9C56730ABDD0E9FC4A11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382471Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:59.257{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8463A922AC8E887FE9BF2C9C3B10A321,SHA256=986E6F21859C12C2F87E2F74CCDB0658BA9DB0F0914011C1339F2B451E7CEFE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288553Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:59.339{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=28A5F0DB1A937457AB443A321D89CAA5,SHA256=7BAE59DECF91BC0DA6BB3636286039EAEB4ECA3973D83B1F9FA41AC533672C5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288559Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:00.885{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEBCC00DA42EBCDC1302AC2A64FD975C,SHA256=FC10039521E4857ED9348F01BA92A51325CC3498359646FBE16A1D6C93FEA051,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382479Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:00.272{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D95F5E68F014154CFEFD0BF9E4C4EC2,SHA256=0469C07AEDBF249C63C3F79B05AC8728F4D554B71DAB5A042CC2C4748352058F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288558Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:57.724{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-23675-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288557Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:57.440{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61586-false10.0.1.12-8000- 354300x80000000000000001288556Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:56.591{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-15662-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288555Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:00.588{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EF0C2DCD8847B42BB96E8A5504A8734F,SHA256=1A4E64203C24FD3607CB8305A495D282496C6840DBD8CEF72C67B6E48137801F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288561Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:01.885{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDB5B2DE4970264B130CA3EAC0FABC1B,SHA256=1275374827DBE323AAD78E418C51AE173C3DC8AEFFEF7C7A5D310EE53B254131,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382534Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.948{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.vlpsetMD5=B50CF628E0082A7840D84D0CBE1CAD48,SHA256=544DF79BCEF9DC8E082021E342C2A1B12CD0B8BDAF3687E0F23785406EDF33AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382533Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.948{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.sbstoreMD5=F130C472E963FF3CEED251C65964B927,SHA256=E5D2A5BBE8AA43751EF7F7BC3A817A0963D56272A4C9B6055E60929606186CE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382532Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.948{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.vlpsetMD5=5F93E0F827909390D257EBB27C77F392,SHA256=5BCB684F3EE3B2EC2F4945655FBEF281C487399D6BF90451647DB1761715D4C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382531Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.948{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.sbstoreMD5=9275B832091D9E3BFE50898A3BE022B5,SHA256=38C52A5435B625083000A054489B95E033F7B352377510DF668CEE749DE5803E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382530Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.948{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.vlpsetMD5=8AC8A05028631170937EDA4CF0E0A35A,SHA256=456AB2C0E4E117D62DC529362EB22C725D410098868442729ADE5E4FF0822E78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382529Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.948{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.sbstoreMD5=7BBA9B83F0F213C5A723209D4C9962CE,SHA256=E1B8E7DEB0F34EEB6BF4D10E47E734A1FE829C365DF360B98646D7E11F2DD4C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382528Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.948{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\social-track-digest256.vlpsetMD5=16BF2AA546411BA25DC80EA288D47143,SHA256=524EC56C023155C7BE4C84D5AEC4FE2D85DFBAB3C2FA27F82BCD35028D546F83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382527Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.948{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\social-track-digest256.sbstoreMD5=69EE5B232870704AFCC0E8957AA42A0F,SHA256=EC8DF5279022B68C0B542EC1688889374754106DFADBF7CAF8337E3F98865941,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382526Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.948{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.vlpsetMD5=C143402B1C4118ED7B00874BB55D3156,SHA256=681A0704C2C3DBDFB684A05706A01805E4A396ACFDA7D8D591E54237E4DEE64A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382525Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.932{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.sbstoreMD5=489DDF1C6CFFF3875F1BECD21EE3A913,SHA256=10226DBCFA9F6058B8A2FF0536E4A23EAF40F4CC71CC6168647D97C1D538D4AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382524Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.932{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\mozplugin-block-digest256.vlpsetMD5=FCC9C2C9B611A3264B68EBE180EB4248,SHA256=6ECD378A537EEFE350B45CFA353741383F407D99D776BF23155A7825DC5DD2BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382523Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.932{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\mozplugin-block-digest256.sbstoreMD5=519BEB1B01FC355BB388F1F75BE997FD,SHA256=FFE2D3077B81AE6F51B220C1C661B276C823FA67DAD1D64FC5F17249FC54BDC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382522Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.932{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google4\goog-unwanted-proto.vlpsetMD5=103C12E0F6367D4DD6B83CDBEBA2DB6F,SHA256=3C7A95E23897C26E1001E8E5873F6E3083C6592379B802251C55FFF8CC01A0AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382521Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.932{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadataMD5=67A5CCC8B83723618E722CC28675B8CC,SHA256=A340E949BE6C46AF265F137A3ADDB6C1520123077E75A5E8DB7295E036DA2CE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382520Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.932{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google4\goog-phish-proto.vlpsetMD5=A99513F5FC53FEBAB2BE6731F9505D18,SHA256=694F58850639D01BB4EE760D2BC5E81258A71761AA6540273FB0DE94D1220098,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382519Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.848{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=428B9500D53D2CBC75ADBF408A0A2C28,SHA256=417D4B4CA9DBA3F1A287BFE247BA81A39CB0ADA45D635CF50427504428B2DFA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382518Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.848{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google4\goog-malware-proto.vlpsetMD5=047EAAE78CC3A4F4176CD5424C6E491C,SHA256=F81B7253B91620D2B34B9FD33E6A7CD4FC3289D0F10A097D24E819161A6C3AB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382517Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.848{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google4\goog-malware-proto.metadataMD5=80ED13718D67F83E95DE5A1903458B2A,SHA256=98D767A1E9F7C32A7321DE028813506F4C4C305FD8C1BD366DEBDFC3CB59E249,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382516Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.848{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.vlpsetMD5=EA86E0097B81FDBDEE3F12AC90CA6410,SHA256=6A242B62530E38DDCFD272643F6CC44EDC0208C69DC3022D6CC273F4C7E79AF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382515Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.848{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.metadataMD5=5ACD66DB29AFABE23566110E44DBD5E7,SHA256=AD73B565DED09760945E8AC426CD4D16C8DEB3C202E8ABAD356EABF62137D2D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382514Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.848{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.vlpsetMD5=B87CA8ADAC18B0F2FFB456E7497C09B1,SHA256=7654AFCCBEBFA8A3025652ED30F37E7F3484BE67A5C23B276BB8D83011C15BDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382513Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.832{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=4D56BC1E46AF0EC5531BD7101BC31F14,SHA256=6786B1FA28C6FA145CAADB510E14A24A9AD3CFA943B36F358C9AA36916FD5D53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382512Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.832{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google-trackwhite-digest256.vlpsetMD5=E54E5B84194EEE15E64D2A03F1136BB7,SHA256=07707B589BE3DBA3BB0BDAC67760A2B180EA3531E9D7976B73E4C1D8DF9DBB1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382511Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.831{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google-trackwhite-digest256.sbstoreMD5=FEC9BC354A7EE92C6FEEFE63E6B0FA26,SHA256=258EF8E6994A09FFB54BD0D5AFEC97C13C31F2EEFB7FE90A2A4C487C87817519,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382510Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.828{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\except-flashsubdoc-digest256.vlpsetMD5=0C0D67875BD75A0227C02DD8529BA01A,SHA256=614BE0169EC36E67223EB9645A98DA66DBFDE5DFBB89BB064F428AAEABDD9D97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382509Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.827{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\except-flashsubdoc-digest256.sbstoreMD5=22698B4CF784DBBAE2D583F00491D43D,SHA256=3849563088AE0677D61702A1310FDE26DE5DDD846D53037222D3EFE012197BF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382508Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.826{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\except-flashallow-digest256.vlpsetMD5=7194B6BFF691A056852A51E2E06CE8FE,SHA256=CBE2DC6ABFE25BEAD60F4DFAF419FC0F441FF8A8DD4A2FEBF5553BE1CBD90C49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382507Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.825{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\except-flashallow-digest256.sbstoreMD5=DD0458514C9A922B45DA6A8BEBE47320,SHA256=D27D5B27030F4725249377951BEB89E84A90A0E8241F0D5FD80EA59C1606E761,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382506Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.810{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\except-flash-digest256.vlpsetMD5=C2994D388F8780C87D35C352D9582985,SHA256=7ED09F7D2BD632F70077A4AE4F2BD2F3FB654B03CD72652F51678B0C7D027F25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382505Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.810{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\except-flash-digest256.sbstoreMD5=D5D6B4D59B4AE4E2DE4B40D0DA083571,SHA256=000E3A78C72A210CA3B5417A3CDD294FBCE2A31661601C9D594C75CF2800571C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382504Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.810{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\content-track-digest256.vlpsetMD5=07FF16BA9846838DA27AE094A1B91369,SHA256=DC83AE90504AC11C29876CFC48483976397E899958EE8EDE7F381971A2C2C4B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382503Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.810{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\content-track-digest256.sbstoreMD5=1B9A162CEB3C7BE8393CE348F35A4564,SHA256=2D6B6351BD1B8C2047DA1854D0033EE6C5CD9F1BFE38C5E1A2B82C86AFE8A598,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382502Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.810{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\block-flashsubdoc-digest256.vlpsetMD5=40165280FF1345B5241EC2A9D1DA2AF0,SHA256=F80BDD5341D8B1EE946E344E258EF2D35C3C0BB6B13EB7B3E6A77467DFA8B97F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382501Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.810{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\block-flashsubdoc-digest256.sbstoreMD5=B9556D03AFF392142AD5691D2F867310,SHA256=CFD3909B41C1EE3CBCB8B7D2B1378065E7D3B543FFF1F2FB7A4F25C5FF41722C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382500Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.810{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\block-flash-digest256.vlpsetMD5=130B9AC2BEEC5ADA274561105D81AE36,SHA256=7D99FEC08182A5B95D18D1569EDAA2C60C2AAFBD15A56D8882F22F3B395E6460,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382499Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.810{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\block-flash-digest256.sbstoreMD5=9F6B331AA1E070DCFEED473E76CE56C3,SHA256=7DBBEA2DD387EEB85E1F56E02FC9989ACDE570CD43BFEF2C2A827093BA87DA6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382498Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.810{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.vlpsetMD5=BF6C363FCFE18836F5B693AC897B03D0,SHA256=3436668289A12D65E3C22BC60B8E2EA8D2D6CF15DF1402FCB3C16DD875D438E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382497Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.810{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.sbstoreMD5=D5F2E2EC2D972EA4E3BD5E52478574EC,SHA256=5A9F549160D35C4F4CCD6CC4EF4B63FF1A8859F8374AEA866A10F61DC2559E58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382496Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.810{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\base-cryptomining-track-digest256.vlpsetMD5=82E921320B62879B070EBE9D8F1F4256,SHA256=A781BFF04964067CB06EA80DA605A4A2837F7256580693C6DBDCA971D8C9BDB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382495Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.810{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\base-cryptomining-track-digest256.sbstoreMD5=BB9BB51CB484CC5719D210D53CF37762,SHA256=1903A36C25AEB3C61953484ED931ED52AB4A3BD13FCC38046154A6681472D499,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382494Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.794{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\analytics-track-digest256.vlpsetMD5=914534BA8A40B6B03D6D9B771F2B19BD,SHA256=35A2915F1843458284C8FC7CA759EA2429663896ED02845849FA9A318F53EC0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382493Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.794{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\analytics-track-digest256.sbstoreMD5=AE7986A0220B25D6A8A8D964DFAB18A9,SHA256=204DECEAD5EF0D73D35420F74EF89BB5E7080007726E198A26D8553BA5B257D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382492Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.794{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\allow-flashallow-digest256.vlpsetMD5=DE0D88480C24350C59E1E9A3583DE0D1,SHA256=01BA9F0B913E04ED10BD7166796483DD4F72005F249D6EE68B12117BE4B5D3C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382491Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.794{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\allow-flashallow-digest256.sbstoreMD5=DD0458514C9A922B45DA6A8BEBE47320,SHA256=D27D5B27030F4725249377951BEB89E84A90A0E8241F0D5FD80EA59C1606E761,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382490Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.794{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\ads-track-digest256.vlpsetMD5=4E114A12FE1D8664A2957286D9C690B5,SHA256=6A1E487E1A25DA4010DCE4BC9DD610DEF85DA683FAC9D704DD2A50664E5A60BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382489Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.794{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\ads-track-digest256.sbstoreMD5=775AAB007F2E4FF49FC45DB938962B25,SHA256=D3DA5191342AAD67DAE5D80DF6ADE9D325A8A9D1131BADFC19152B6468A62E3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382488Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.779{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=4D56BC1E46AF0EC5531BD7101BC31F14,SHA256=6786B1FA28C6FA145CAADB510E14A24A9AD3CFA943B36F358C9AA36916FD5D53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382487Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.763{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google4\goog-badbinurl-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382486Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.660{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadataMD5=67A5CCC8B83723618E722CC28675B8CC,SHA256=A340E949BE6C46AF265F137A3ADDB6C1520123077E75A5E8DB7295E036DA2CE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382485Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.660{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google4\goog-unwanted-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382484Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.660{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google4\goog-malware-proto.metadataMD5=80ED13718D67F83E95DE5A1903458B2A,SHA256=98D767A1E9F7C32A7321DE028813506F4C4C305FD8C1BD366DEBDFC3CB59E249,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382483Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.644{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google4\goog-malware-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382482Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.629{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=428B9500D53D2CBC75ADBF408A0A2C28,SHA256=417D4B4CA9DBA3F1A287BFE247BA81A39CB0ADA45D635CF50427504428B2DFA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382481Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.566{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google4\goog-phish-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382480Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.287{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40114F6817A36912D4179245BA5670E7,SHA256=03BDE316B0229B07524014D30F3A8B01C4BA832F3A02E762183D205842BE77A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288560Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:01.714{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=813D2CC4C9DDC4E26A41EA1781468C8C,SHA256=68AC46F1BBBE7B0FA99FC478B9447F417C16C92AED85F44FE4712E0C87D4C41C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288564Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:02.901{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65FFBB33B3725E8F6AFADC858A6FF1C2,SHA256=05FB95A1345188BB94160C536215C25868ECF01E6F308512D093AC825FEDBF32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382538Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:02.479{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382537Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:02.378{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA0BFB9847B63D57B328AD99E1B6BCFE,SHA256=E3E17714EB93A444E667916A3D7FDBA04B38755D0DFB718DACF15C8343E2FE63,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288563Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:58.975{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-32217-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288562Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:02.792{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=09B8FDE1C01B1D05B14CB6480C507854,SHA256=0FF801525C5D991E4BE8A6608E9E77E70237ABECE56887FC48D550559D0247D8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382536Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.344{5EBD8912-CDB7-6152-8426-00000000FD01}4172C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-429.attackrange.local51328-false142.250.186.138fra24s07-in-f10.1e100.net443https 354300x80000000000000001382535Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.342{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local52538- 23542300x80000000000000001288565Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:03.917{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31177740DB834575224DDA55B5FD8221,SHA256=B16A31E4230F3640D3E9EBA617F5A704CCE704C53CA49B6EE850819A9A82061F,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001382549Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:10:03.594{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001382548Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:10:03.594{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x051dd1b8) 13241300x80000000000000001382547Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:10:03.594{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b440-0x3d3d5cd0) 13241300x80000000000000001382546Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:10:03.594{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b448-0x9f01c4d0) 13241300x80000000000000001382545Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:10:03.594{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b451-0x00c62cd0) 13241300x80000000000000001382544Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:10:03.594{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001382543Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:10:03.594{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x051dd1b8) 13241300x80000000000000001382542Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:10:03.594{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b440-0x3d3d5cd0) 13241300x80000000000000001382541Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:10:03.594{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b448-0x9f01c4d0) 13241300x80000000000000001382540Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:10:03.594{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b451-0x00c62cd0) 23542300x80000000000000001382539Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:03.393{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=206C31B6CFF3909C31FFDE30F2754331,SHA256=F2F12B0DA6744B1F434E43465F43271DBF939EB8892F7D006B6133805C3C38B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288568Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:04.917{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=408B010B10E4FB5E8F9C800E437A41E8,SHA256=C463F7D6A34E8BD9FBB6B04C96F9DEF6F4D3478884C4D7B7777A6681749AC03E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382551Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:04.409{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFBC333C11FA62586BDA08BF32FCA12A,SHA256=7DC58AD6E8CED7A3220772B75CBCE78C1B2798050341EDE1AD3CDC80CA1B64C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288567Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:04.104{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EC2C8EBC36D1C482DC9F69A5EF61BD28,SHA256=B5919A2C3E222346BE4EB8449A22CE149FEAF84CF8DE7BA5417C74ADB888EF02,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288566Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:00.086{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-40388-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001382550Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:02.774{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local55341- 23542300x80000000000000001288571Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:05.932{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61851B1EA84C887A2F5C4D5FCAD8E026,SHA256=E5DC7312C222EB0340E64C990F940144D1DE37EFC70FC56522D36A20DACAC465,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382553Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:05.426{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E82960E975A09CD55629E308C4C14025,SHA256=34F277AB98373B949D3A8422B20EBD0561EB95837C0C9E52491103AC0FD9EA58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288570Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:05.182{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CDAE6D46347D5F8DF3925905A916D364,SHA256=C7F4E8ECB4F55D0821D97D939A04BFD3FC3F2647237E83E9F5C9C05B0CFB072F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288569Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:01.196{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-47922-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001382552Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:03.102{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51329-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001288575Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:06.948{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB8CDBE672817ACB94B3FA70D261963B,SHA256=4B801350EF57CB7FB39808DA4D46178AEA04118ED86FF390332BAE87991A95F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382554Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:06.445{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AD2C0424AD46FA092492990B32E23CD,SHA256=0FFBA316752C385B956276C937A79F6F394AB205BB6A9B192B63059FA5D6D01C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288574Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:06.823{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A5969FE37439EA313ACC316C980CF6BC,SHA256=86E403CD2F8C47D433D6A433E3D74FC56BC98C7F85D0E832CE63807D83F16E40,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288573Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:02.502{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61587-false10.0.1.12-8000- 354300x80000000000000001288572Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:02.476{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-56990-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288577Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:07.963{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD5A91B7303C4ED30B9FBA47FFB3E441,SHA256=B6B0449EC3A441726B3EC3AA932D9D176627B1E84BF1E021ED322FBEE52F9706,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382555Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:07.459{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70CF5CAE53E3C0F83A6A9A9F5994C499,SHA256=E9B93ABFDE25480E9AE10570A222C0EF3381CDEC1305966A6E277E50F0BAD3DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288576Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:07.901{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=40BF8F00FF596592C6B300186BED0388,SHA256=E79A079E134275996520961CAF4915C74C05A2069068C2CDE4FF31BF6270A66C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288579Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:08.963{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29EDA9A48652F5C3F9DCC5771BC0C2E7,SHA256=FE565AC7914A90B9C35EC61FF4FBC0D33CC16165C3183D508E15F5F0EF3F4202,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382556Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:08.474{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F07A97063D216349349892E0DAC6552,SHA256=AD54A2ED0248F3C9BEA4C38F958AAF0962B6A86B88C0FB0E0EF6A78499EA3CC9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288578Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:03.999{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-8070-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288583Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:09.979{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2781A02654773CE8118A45CE39F82D50,SHA256=48170293D05E248BDCEC792BBCF9DC482F8CE5BFE6842E6403EB6B81CE350511,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382557Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:09.488{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1524E86AAA7DF388EBA9A0EDF6827EB7,SHA256=7C09C5723CB4B890826E134208FD0E5794F73B2F1BFA61CA190165407C573893,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288582Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:06.302{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-24125-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288581Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:05.194{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-16427-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288580Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:09.026{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CC90DAA39DBAB0E2AE4C553FDF83F809,SHA256=B2935FA165B46A06ECE00B29583E9EAD642C203B9BAD2851BDD248B3EA4295F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288590Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:10.995{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC382E9C36E3DF8304393EF00FF3BBF5,SHA256=D52DA3932FD27F9890436C00E8A2E357449BB6D301F6141490473BC161199B68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382579Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:10.762{5EBD8912-8CC0-6151-1100-00000000FD01}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=19EB3AD36C9649DB77DBD1AA5DB8D704,SHA256=B25971CDDCF0161623CB8B56D9D66E99BC18A312839E6555CFA0BE77B698DD97,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001382578Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:10.694{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DBF2-6152-3D28-00000000FD01}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382577Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:10.694{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382576Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:10.694{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382575Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:10.694{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382574Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:10.694{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382573Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:10.694{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-DBF2-6152-3D28-00000000FD01}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001382572Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:10.694{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DBF2-6152-3D28-00000000FD01}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001382571Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:10.695{5EBD8912-DBF2-6152-3D28-00000000FD01}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001382570Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:10.525{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FB1080B403B424980AE961CABAAF228,SHA256=83B5964F36FF2B6A695E64B72691FD84CA0B2A14537BAB3682B3E88816F26B05,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001288589Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:10.354{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1500-00000000FD01}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288588Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:10.354{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1500-00000000FD01}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288587Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:10.354{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1500-00000000FD01}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001288586Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:10.135{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3381E86BA7C8605853CFBEDFFEA00A79,SHA256=5ED6647780D800A416873A9EA69E0F8246C186C36539E637FBB4E778C20F6E53,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288585Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:06.801{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-50272-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288584Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:06.775{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-50006-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001382569Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:10.437{5EBD8912-DBF2-6152-3C28-00000000FD01}50646444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001382568Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:09.135{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51330-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001382567Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:10.188{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DBF2-6152-3C28-00000000FD01}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382566Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:10.188{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382565Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:10.188{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382564Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:10.188{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382563Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:10.188{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382562Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:10.188{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-DBF2-6152-3C28-00000000FD01}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001382561Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:10.188{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DBF2-6152-3C28-00000000FD01}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001382560Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:10.189{5EBD8912-DBF2-6152-3C28-00000000FD01}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001382559Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:10.057{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6B6499F3FCA307A325A3EDC18ECEC5C7,SHA256=B6647E13FD5DD0D98970A822484ADA3F817412E861E313CC6CF42CA30BD43183,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382558Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:10.057{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=090F2672D0F2BFE74336A371C3A086E3,SHA256=55CCDC793441A778081B06EC81315152DF43BFBAA02A6024963EA63F36CAE0D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382581Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:11.546{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98A6289AD9C5A301E9A0EE625FA7C4A0,SHA256=1A91214213AE226E23191E27E7DF93F6598E3D33E9783A1BB446D0B54DA40381,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001288606Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:11.557{69CF5F33-DBF3-6152-33A1-00000000FD01}1848320C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288605Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:11.370{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DBF3-6152-33A1-00000000FD01}1848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288604Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:11.370{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288603Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:11.370{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288602Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:11.370{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288601Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:11.370{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288600Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:11.370{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288599Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:11.370{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288598Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:11.370{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288597Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:11.370{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288596Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:11.370{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288595Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:11.370{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-DBF3-6152-33A1-00000000FD01}1848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001288594Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:11.370{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DBF3-6152-33A1-00000000FD01}1848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001288593Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:11.355{69CF5F33-DBF3-6152-33A1-00000000FD01}1848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001288592Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:11.279{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3AC1F87C31B8534FADDC569278A52564,SHA256=9CBC7A6CA70BD5C0A5988EF7D8BB8929785B4BF76C17933B944E4B6A09F4CC3E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288591Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:07.412{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-32215-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001382580Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:11.194{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6B6499F3FCA307A325A3EDC18ECEC5C7,SHA256=B6647E13FD5DD0D98970A822484ADA3F817412E861E313CC6CF42CA30BD43183,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001382590Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:12.776{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DBF4-6152-3E28-00000000FD01}6456C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382589Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:12.776{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382588Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:12.776{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382587Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:12.776{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382586Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:12.776{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-DBF4-6152-3E28-00000000FD01}6456C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001382585Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:12.776{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382584Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:12.776{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DBF4-6152-3E28-00000000FD01}6456C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001382583Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:12.777{5EBD8912-DBF4-6152-3E28-00000000FD01}6456C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001382582Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:12.561{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45E4F18619A69709D25E95677184C9B5,SHA256=1A177C332E5DA73A091B5B382C702C6911D97DF6A264664F4995E882296DAED3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001288639Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:12.745{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DBF4-6152-35A1-00000000FD01}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288638Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:12.745{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288637Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:12.745{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288636Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:12.745{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288635Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:12.745{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288634Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:12.745{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288633Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:12.745{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288632Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:12.745{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288631Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:12.745{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288630Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:12.745{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288629Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:12.745{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-DBF4-6152-35A1-00000000FD01}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001288628Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:12.745{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DBF4-6152-35A1-00000000FD01}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001288627Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:12.730{69CF5F33-DBF4-6152-35A1-00000000FD01}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001288626Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:12.401{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=91EC17971C5DB979FA049F3DA86E00AF,SHA256=6E696B9128D280960447A2B1D69C3D9108E5BBDB1E2F67D308E30DA75546B8C0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001288625Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:12.292{69CF5F33-DBF4-6152-34A1-00000000FD01}35721740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001288624Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:08.981{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-6314-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288623Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:08.537{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-39722-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288622Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:08.471{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61588-false10.0.1.12-8000- 354300x80000000000000001288621Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:07.884{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-57987-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001288620Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:12.057{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DBF4-6152-34A1-00000000FD01}3572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288619Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:12.057{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288618Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:12.057{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288617Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:12.057{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288616Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:12.057{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288615Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:12.057{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288614Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:12.057{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288613Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:12.057{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288612Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:12.057{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288611Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:12.057{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-DBF4-6152-34A1-00000000FD01}3572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001288610Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:12.057{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288609Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:12.057{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DBF4-6152-34A1-00000000FD01}3572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001288608Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:12.043{69CF5F33-DBF4-6152-34A1-00000000FD01}3572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001288607Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:12.010{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E40429E40B1BBEDE028A8373C84BE992,SHA256=A07494CCE8D9181BC14C3921A8954BF9BDAC8A154DDA1F5350505D004632FA84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382601Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:13.807{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67C4610137D140344ECB13B384F04638,SHA256=58FA3C815BF6A7EE316D03B9D5898AA47403CFF737636E838A139771E4D1F28D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001382600Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:13.675{5EBD8912-DBF5-6152-3F28-00000000FD01}22722672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001382599Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:13.575{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F416A14BD9193EF47698B248E4A81E10,SHA256=DE531A0D7A49DB421C0844B3ECDB6DDC6C2194FC7B09C35F7AFBB233FB43D4A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288656Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:13.604{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EC5869C614528B7435F1A51EC2CA840A,SHA256=17FE037EDBE0BB4841D31EC584536838E2DF97DE131D5C18A2E53988BAA37597,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001288655Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:13.604{69CF5F33-DBF5-6152-36A1-00000000FD01}2504172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288654Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:13.432{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DBF5-6152-36A1-00000000FD01}2504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288653Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:13.432{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288652Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:13.432{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288651Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:13.432{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288650Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:13.432{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288649Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:13.432{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288648Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:13.432{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288647Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:13.432{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288646Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:13.432{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288645Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:13.432{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288644Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:13.432{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-DBF5-6152-36A1-00000000FD01}2504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001288643Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:13.432{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DBF5-6152-36A1-00000000FD01}2504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001288642Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:13.417{69CF5F33-DBF5-6152-36A1-00000000FD01}2504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001288641Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:09.770{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-48152-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288640Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:13.229{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAE40678DC95BC6F586E5EF98FBE3510,SHA256=6C4C274495153D5A00747DC03BC02AFB7E72FA73D6AF45F38CB89CDEEB57B5C5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001382598Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:13.460{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DBF5-6152-3F28-00000000FD01}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382597Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:13.460{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-DBF5-6152-3F28-00000000FD01}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001382596Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:13.460{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382595Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:13.460{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382594Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:13.460{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382593Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:13.460{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382592Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:13.460{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DBF5-6152-3F28-00000000FD01}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001382591Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:13.461{5EBD8912-DBF5-6152-3F28-00000000FD01}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001288687Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:14.979{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE49ACC2667DBE5B6A0468CBA4078048,SHA256=79802BB98021D05C9D5C2F556A8F2310417E1314E897E3122F828F4B8D1DB14F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288686Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:14.979{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6762AA87272035F766B4ADE3EB964D7E,SHA256=114D3D94B6F666E91F90EA46F9A1FAA5470D467CF38F2BAE1EEE6BED346FB410,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001288685Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:14.901{69CF5F33-DBF6-6152-38A1-00000000FD01}962492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288684Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:14.651{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DBF6-6152-38A1-00000000FD01}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288683Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:14.651{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288682Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:14.651{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288681Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:14.651{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288680Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:14.651{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288679Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:14.651{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288678Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:14.651{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288677Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:14.651{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288676Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:14.651{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288675Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:14.651{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288674Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:14.651{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-DBF6-6152-38A1-00000000FD01}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001288673Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:14.651{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DBF6-6152-38A1-00000000FD01}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001288672Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:14.636{69CF5F33-DBF6-6152-38A1-00000000FD01}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x80000000000000001382603Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:10:14.621{5EBD8912-8CC0-6151-1000-00000000FD01}440C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b448-0xa5fd7dc1) 23542300x80000000000000001382602Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:14.590{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7F976427D8F14389CFB36440AACDD3F,SHA256=E5677A13D0A32DB329A77149A237E3739483E85D2D1DE02189B818C0AB1F6070,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288671Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:10.868{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-55531-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288670Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:10.305{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-15361-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001288669Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:14.120{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DBF6-6152-37A1-00000000FD01}3552C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288668Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:14.120{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-DBF6-6152-37A1-00000000FD01}3552C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001288667Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:14.120{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288666Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:14.120{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288665Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:14.120{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288664Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:14.120{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288663Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:14.120{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288662Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:14.120{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288661Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:14.120{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288660Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:14.120{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288659Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:14.104{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288658Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:14.104{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DBF6-6152-37A1-00000000FD01}3552C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001288657Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:14.105{69CF5F33-DBF6-6152-37A1-00000000FD01}3552C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001382604Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:15.605{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4CF316E0901DBD1B83228A56C089AF6,SHA256=5C79EE11A144EE5FAB07341E85EB4699F6740A0C152C26680B688276D3C0EA32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288692Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:15.838{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=57077CCA19F8994F22E3AED42CEA3EB9,SHA256=63F3B78B32DC4AA9D74CE9B01080F90490C878BA05E72597CF4F8C9559209130,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288691Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:15.667{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57BC4D932F60D9D6FD0022869CF82C15,SHA256=15FFAB40A514A688D06F07BFC267CD3005F04649AE265786E698A71FEA34C773,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288690Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:12.484{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-30130-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288689Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:11.960{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-4498-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288688Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:11.381{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-22919-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288695Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:16.917{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=20493786683AFC1035A65D424FF4B934,SHA256=0B96BA1D1ECBF42CCF3FF4A52A159FA0FEEB6378F8411B0C5CAD9AAE7FB6F1F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288694Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:16.682{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A03C5DCEE037CF8588A7E29967C62F44,SHA256=ED3E8E1F360B10E9C6C58D9916E709BFF56D71B3450207DFC93ECF3962EE5563,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001382616Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:16.919{5EBD8912-DBF8-6152-4028-00000000FD01}61804528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382615Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:16.741{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DBF8-6152-4028-00000000FD01}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382614Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:16.741{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382613Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:16.741{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382612Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:16.741{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382611Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:16.741{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382610Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:16.741{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-DBF8-6152-4028-00000000FD01}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001382609Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:16.741{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DBF8-6152-4028-00000000FD01}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001382608Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:16.736{5EBD8912-DBF8-6152-4028-00000000FD01}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001382607Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:16.638{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C1DC2BC614901BED17B944D0E9BF96D,SHA256=C1930E6DE77E8E662E65F4BA0D8D752FEBA957A24213EE0D0A6CAA9812F25614,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382606Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:15.597{5EBD8912-8CC0-6151-1000-00000000FD01}440C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-429.attackrange.local123ntpfalse20.101.57.9-123ntp 354300x80000000000000001382605Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:15.067{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51331-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001288693Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:13.105{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-12758-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288699Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:17.921{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6CDBBF7D0851CCFAA431E2DACC03BAD,SHA256=DCA485A71F3809C53432F79B0DDEC6F0C6AD5BCBA5E71A028334A2DB427AA2FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382627Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:17.739{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D96DDA18783CDE23ACAE7B3D3B403496,SHA256=13972B64D37FB640DD5A5D9920F9CEF6A731EEC063941CEB4132AB7AD294E6BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382626Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:17.658{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2C7425CBA42D1DFB304F84D5A7A3F02,SHA256=CC37202AB4FBB23A165D3358B79DB983607E1DCB9BFB95B490AEBD92548BF614,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288698Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:14.211{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-20523-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288697Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:13.866{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-38941-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288696Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:13.502{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61589-false10.0.1.12-8000- 10341000x80000000000000001382625Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:17.635{5EBD8912-DBF9-6152-4128-00000000FD01}71045796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382624Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:17.420{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DBF9-6152-4128-00000000FD01}7104C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382623Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:17.420{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382622Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:17.420{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382621Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:17.420{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382620Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:17.420{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382619Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:17.420{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-DBF9-6152-4128-00000000FD01}7104C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001382618Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:17.420{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DBF9-6152-4128-00000000FD01}7104C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001382617Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:17.420{5EBD8912-DBF9-6152-4128-00000000FD01}7104C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001288701Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:18.937{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BCDF2D46E71B0A0AC012CAD1048F497,SHA256=7FDD892F7EF763BBE9400A168AA03681DD44206E9C0326C3F06408B2DB2B5FAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382628Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:18.688{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=618246959FE227525B79199F16152027,SHA256=7707FB6C1173A03C841C40C284CDD1C062DE3B37F7D8BAC3E4788A892F5588BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288700Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:18.015{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FB2A5BDF20FDADC1E7078DE2C71D6660,SHA256=E84C86FFBC39D4499EFDAFC96706A5111756F0333E9A63E7D56228B5165E8CD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382629Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:19.719{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD0643A47F982BFC30098E5CF2ADCA8A,SHA256=03A554707826DAC05397B082A7097E90867A9DEFEDFBD2D19ECE7EA33F8650A6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288704Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:15.291{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-27775-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288703Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:15.091{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-47536-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288702Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:19.093{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FC81C812912D2CDD092ED7CAF9CD6192,SHA256=03D634D124604B673EBF1AC8E57604A7C4D73599D44BC3EA44DA339A83C1DED5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382638Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:20.738{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67681A22EEA764D5D3FB40C82A2276C7,SHA256=7B38A5C86A56D9867A996CA5E7177DBE0AC32A391EC8177F9052CBBB2E5F910A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288708Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:16.387{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-35128-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288707Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:16.231{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-55634-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288706Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:20.156{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E0ADF5D5458692ED0F74D14B7214CBAC,SHA256=2E1CB1FDE4FC71C860204F59123F00C78F5CF2F5A74D3F0A5AD18A9919C1DBAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288705Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:20.015{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=680DD94A4CF7993AA6868229DDF3C48A,SHA256=177180E1BA0AD0058F969738AA0538D602A7EA15473066DF6B7A2E537A4F4F4E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001382637Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:20.156{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DBFC-6152-4228-00000000FD01}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382636Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:20.156{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382635Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:20.156{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382634Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:20.156{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382633Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:20.156{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382632Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:20.156{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-DBFC-6152-4228-00000000FD01}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001382631Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:20.156{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DBFC-6152-4228-00000000FD01}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001382630Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:20.157{5EBD8912-DBFC-6152-4228-00000000FD01}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001382641Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:21.754{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91121900BE5EFA01F3A7541DB6F20D5A,SHA256=C7B38A571607C966ECB0806527FE810C9774DF43B991EC38EAAA718FDB9D808A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288711Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:21.312{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4F67DA290361ABE742676006C6540105,SHA256=0DA390CFA8098A834FF8FFF25603160E68BEC23C1F6B80E7C42822E99582FC9A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288710Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:17.421{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-4615-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288709Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:21.046{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FEB0BF9880483A3A9358051EBD1DC22,SHA256=85561F2CA4FB2F10E338705175352B5A754C2ACDD83B5437BFA0264603A62B1E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382640Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:20.227{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51332-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001382639Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:21.217{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F21CEB4F2C8697A31B80DDBDEB86B719,SHA256=B29D0F24D0220AFD1DCB981126112FAB7E5FC97AA235814BC1F4926A963F6C43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382642Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:22.815{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75BE8FD6CDAF8A23F812C69C0CB954EF,SHA256=FBE23A2536C33E13C5F0DBC865F3A38EEC2B93880F1C7467A78950FB2161541D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001288729Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:22.531{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DBFE-6152-39A1-00000000FD01}2952C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288728Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:22.531{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288727Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:22.531{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288726Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:22.531{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288725Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:22.531{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288724Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:22.531{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288723Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:22.531{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288722Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:22.531{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288721Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:22.531{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288720Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:22.531{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288719Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:22.531{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-DBFE-6152-39A1-00000000FD01}2952C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001288718Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:22.531{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DBFE-6152-39A1-00000000FD01}2952C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001288717Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:22.516{69CF5F33-DBFE-6152-39A1-00000000FD01}2952C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001288716Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:22.437{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C37C08CDF4B2AB9B2A1DF858D5D4F7A5,SHA256=83D5FE4A63BAFF27023DA063BBA71FA5A5D6F52EADEE88C1026E5639F3E828C0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288715Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:18.623{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-50247-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288714Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:18.589{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-12522-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288713Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:17.466{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-42758-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288712Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:22.109{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDBFA514A9666B4DE790097E8DE90F61,SHA256=CEA6C61BED49A8392A8B78B0125153AC741347D6A0698C72FFD7EFB926115396,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382643Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:23.851{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D8E52EA60E8A8D4C297ED60FB4FB077,SHA256=C4FE7C0FCCE8874DCA3BC1A2B715E62DAE44AF4C71219B8E4CF28C468A163961,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288733Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:23.578{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C15FCE87C21F6843ADE5EB83B49C798A,SHA256=AB2E630F8DAA1716362C6D24E8046DD7ACF222CE43DD8C77F01742D20818AF39,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288732Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:19.686{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-20466-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288731Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:19.398{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61590-false10.0.1.12-8000- 23542300x80000000000000001288730Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:23.109{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D897C221720023B6664240D2E52FCBA9,SHA256=7F620DE5899344CE0225B18BD7B2F39EFA094F3BEE72BAC28EF976B27FB25479,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382644Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:24.866{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=723CF674E1D698941BB34DE9D1E8EEAF,SHA256=4BB759820A7073AFDD2D14376D5B48DF1DEAB96CC0E70F1886C5959481A86B42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288738Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:24.750{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3F78DAF6FDDFACA56A966A48475F7C13,SHA256=69E5B0B1A8910BD63A953FB26595009CF2EA277A0964533EA62CEF41B1A57A04,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288737Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:20.937{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-6892-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288736Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:20.824{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-27975-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288735Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:19.806{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-58057-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288734Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:24.125{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC9C35A0A5B652D82380701147BAC537,SHA256=6D510F448224454C8B9AB2FFC87375855FB54B04868B1A0BE897014B6B4A5B70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382645Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:25.880{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E913B3E9D7787AC0FB7671AF74B7045,SHA256=4C55281E60D2186AE7544E009707085151E16353190E23180310653FD364660D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288742Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:25.890{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B628FA6FCAC5F4405BA629C8E4045A72,SHA256=2832EFDD4BADC80B45461CBF2AC587514E4AD968A38D007C59668096484D0960,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288741Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:22.043{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-14134-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288740Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:21.952{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-35973-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288739Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:25.125{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4B4AD51F2F5371B6803FCA755DA80B6,SHA256=A5EC513EA1111D3EF7532EF9BA870D918861853B9ACD0167D8975760200795A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382646Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:26.896{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5D0AD8CB4504F02D7BF8972EFA7B450,SHA256=366E206B64D085A238306391315F84F53EC1D39298730488B749D4FC6CC6D0C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288744Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:23.136{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-22285-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288743Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:26.140{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C047D660E75569CCBBBFCA30508E37D0,SHA256=67EACBF1792C4B6A986775266FE21D5B0DB4588883C725770DAFB92B65C140DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382648Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:27.963{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52FFE6BD0DCBF1D9A2774814E14964ED,SHA256=2BDB4879BE0F5796D1BA97CEBD3F04D98A307D47112517302DD42B680AB8915A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288749Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:24.372{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-52253-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288748Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:24.284{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-29920-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288747Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:23.277{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-44535-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288746Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:27.140{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AD107C213AF5A78F5F077927DFF97BF,SHA256=CA7BA0CE27ECEE1CD1496CDB88C23A6CD978D03B0C1F5FC4CAACCE18E9D8BB4F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382647Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:26.158{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51333-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001288745Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:27.062{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AB53E19EF11F844334CD722E880EB58C,SHA256=6F9EBF74A1394EF342DE5E7CE7907B7B56E3CC9662EBB26E2DDD39055A63611C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382649Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:28.978{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A775B6367DE97B4575726B08A960D94F,SHA256=1154DD73A7910AA8421116F53519EDF9F8FE721DB07CEB6E7CE49E5FEB4F19C4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288753Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:25.435{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-37403-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288752Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:25.398{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61591-false10.0.1.12-8000- 23542300x80000000000000001288751Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:28.187{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DA5A1B82CDBFA5A89884918728517698,SHA256=589DD9B68901AE557295413C7DAC9B63D11F9F973449752D934B8AF61364B0DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288750Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:28.156{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=767136FD9600E69C8B891AA4A83132F2,SHA256=2ED88D174092D4ACE2069962EFA77408B39A9E009A639C861CB8C407D1E2613E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382650Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:29.994{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CF94924EEE93BD668411C62192E8451,SHA256=084E9644BCE52E4FF069F46894FAF0CD0436531C29D506AD2D72AA4ED6F1A750,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288755Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:29.281{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A8AEC4E94C61A3DDC8800764EC5E952,SHA256=F03B16B64719A5AFF4647FE860AF144ACA8790CA75F166A364E9799005A12A8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288754Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:29.156{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9A61AD7A68F96E8CAD43BB0E0F2B018,SHA256=84B2CB44F508EED71EB128A481DA9C4C4C11B9BD0C4C05583B44E98D8E64798B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288760Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:30.406{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=670DED9195B754B7AD899888A25D0E77,SHA256=2C74CE05B96258B258195BD299A114E02CB5513B6ABE45EEEBCA9830D32C069A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288759Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:30.171{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FAA169EAFD4BB063780D2818CF5677E,SHA256=93B3DB72E78FE977EACDC7E6B847EADD1339C3E9E72F29939330896473F4AE2C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382654Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:30.263{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local64231- 354300x80000000000000001382653Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:30.263{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local51095- 354300x80000000000000001382652Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:30.260{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-429.attackrange.local57006-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x80000000000000001382651Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:30.260{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local61538-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domain 354300x80000000000000001288758Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:26.592{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-8726-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288757Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:26.562{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-44961-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288756Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:25.481{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-1089-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288762Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:31.500{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=074D35718330599C33DC7A6393BD89AC,SHA256=3B20A3CED2E60339467201FE203A132C4C60767CE1B78F8415395454B9C9CEDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288761Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:31.187{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E84A6D91D5C25D4EA0817B4B6A7902A,SHA256=B7BD0E4B5249693BD21B86A19EFAEAB60DA6D9E031BB79D1830B0AED386EE0F5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382658Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:30.412{5EBD8912-CDB7-6152-8426-00000000FD01}4172C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-429.attackrange.local51334-false54.70.80.82ec2-54-70-80-82.us-west-2.compute.amazonaws.com443https 22542200x80000000000000001382657Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:29.302{5EBD8912-CDB7-6152-8426-00000000FD01}4172pipeline-incoming-prod-elb-149169523.us-west-2.elb.amazonaws.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000001382656Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:29.295{5EBD8912-CDB7-6152-8426-00000000FD01}4172pipeline-incoming-prod-elb-149169523.us-west-2.elb.amazonaws.com034.211.187.119;52.38.12.166;35.155.229.139;52.24.163.249;35.163.9.121;35.162.134.178;52.37.158.247;54.70.80.82;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x80000000000000001382655Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:31.009{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B57C9E9CD9619832570515C81EE4B436,SHA256=EF541293D22325215DB67F0EC4DADE906CE110D0E6F15DAAF0AD97A0AB9B7FA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288768Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:32.624{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=516E0741501699B0E8FDE8301FB66C08,SHA256=D669A542EA40D78B39F2B7A39EA0F25A78DFEE7C44D6500B5A960EE3F610AC10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288767Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:32.203{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4171E1679219EF04F8404E3080C3037D,SHA256=B20003CB943C5D82949CC01267168BFC0800EDA035F93C6E51FCCB4351BFDAB7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382660Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:32.120{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51335-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001382659Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:32.028{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=026A06640521D2415F1CD807A13688ED,SHA256=787297647A1E5226E1DC22211ACE4CE59472ED9BC1707A6CD58601E04077893D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288766Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:29.218{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-26547-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288765Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:28.778{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-1327-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288764Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:27.727{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-16026-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288763Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:27.666{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-52386-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001382665Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:32.859{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com40389-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382664Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:32.417{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local63217- 23542300x80000000000000001382663Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:33.177{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D2B52402AC86FC712E31D48E6DAD027A,SHA256=EED92D9AF1A6E43DAA0CBD601ACF6C0EA046268E21AD8D114E65761F19E7B7FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382662Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:33.177{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=90D78331459FB043FAE4F15E003A244A,SHA256=591B1AA9AF21AD726F722DA13AF7C6EBFD6ECFD41F3ABDE10B8F24DC058889AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382661Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:33.061{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9EEE401F1003964BF9959DE34143077,SHA256=F7D8EE45FA2A45554F7E293D0E6CDBA938782EFA30F15048DD0B94F1243DE564,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288770Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:33.781{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4C52093A6C2075F5D82A4E335F286C9C,SHA256=0DB80F51194A70315FC1413B3C757CFF2E7A4C79A2203B313AA8844DAF2D230F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288769Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:33.203{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0520FD7EA6EE8E1CCD3B2BD995D4F18,SHA256=F76BF9C89B8F02F268176308AE568596B1542425880D24AADC795192FBD48E40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382666Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:34.076{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A6EC42BE7FD8531D3CA46469F4FAA60,SHA256=C56FFE60037C522D1CC726E1DEBC8A91D1173DB0C47C7F6B9E6947DE2CFC81CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288776Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:34.859{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D74F8F67714E8EF593F5FFD613E764F,SHA256=837BD769262566DBA7D31E1D35D388FBA1D713CF35C9C02066E7F5971CCAE8E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288775Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:34.218{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F7CF2DE9B923FD3A789B7EF60404B0C,SHA256=FECF494BF714C439B75AE93D2D0B86FFC32144CF60036C594CF40F0A462D8D67,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288774Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:31.012{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-16755-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288773Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:30.554{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61592-false10.0.1.12-8000- 354300x80000000000000001288772Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:30.356{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-34254-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288771Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:29.886{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-8528-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288777Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:35.234{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=799C92990752AAE2E90A4BFF6928758A,SHA256=39B29C0484A49A4FAC6D486FBCC25BDEDF9AA8A8545593C9A72D8B854576C5E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382667Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:35.092{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE58D89C117052D2AD3BA40834C6B032,SHA256=290F7295E67BE76D90F5DEF2148EA1D4BD8C061E53DD8C4EAED64029A9A4A172,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288782Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:32.779{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-50679-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288781Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:32.157{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-24535-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288780Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:31.558{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-42850-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288779Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:36.250{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D897BF89BD2D09129F9D675003C7469,SHA256=D2A461E73A94C3E41721B6058C92C9DDE0E7883AD6BABAD875CDBACA88D68BDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382668Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:36.107{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFE2DCB7734A5ECFB0EC7227C5F998A8,SHA256=C4E04BA2C1526581976CC4FF5F1B8433C535CD59A48D7632CE23DBBB8446F9CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288778Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:36.187{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EC466D446B8A18FA13602E94614DD946,SHA256=9ED794DBF327FD02699E528DE72F50A678FF89324D01A0FBAABE5321C0E24516,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382669Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:37.125{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D37286AC8E6FCC8A92ABB0C49E7DA83B,SHA256=0A1D6FD0CA1CE2034720A84E0BE02E4B91BF21DBDA6C556BAEB3029C7662529A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288785Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:34.166{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-58518-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288784Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:33.415{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-32629-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288783Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:37.265{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F4359183A2C5A98CF3082FDEFCC708A,SHA256=CE837ACCEE986897D2BF625178026D20BD55CDAA1B106E45033F1228157188F0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382671Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:38.118{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51336-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001382670Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:38.143{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5B60989A7A8B51F63F971822D75D010,SHA256=4641CC1BC78FB57A798E6564821643C587095B62323E19075D0D0C762ABB1D44,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288815Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:35.371{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-8859-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288814Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:35.273{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-45187-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288813Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:35.242{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-45059-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288812Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:35.214{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-44967-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288811Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:35.191{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-44854-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288810Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:35.170{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-44572-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288809Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:35.133{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-44322-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288808Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:35.097{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-44170-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288807Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:35.076{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-44033-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288806Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:35.052{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-43871-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288805Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:35.030{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-43726-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288804Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:35.007{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-43590-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288803Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:34.984{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-43308-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288802Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:34.955{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-43092-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288801Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:34.930{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-42929-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288800Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:34.891{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-42833-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288799Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:34.870{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-42694-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288798Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:34.848{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-42508-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288797Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:34.825{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-42182-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288796Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:34.786{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-41901-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288795Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:34.749{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-41722-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288794Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:34.727{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-41439-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288793Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:34.688{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-41253-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288792Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:34.666{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-41098-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288791Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:34.642{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-40770-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288790Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:34.604{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-40636-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288789Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:34.582{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-40485-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288788Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:34.559{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-40322-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288787Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:38.267{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC501BC53581ABE4DB7794FC6411B421,SHA256=6A7C284CDAAF6AFB4E0B203D3DE0C9E7EB0CE8F62AAD2458455A99DE61270F4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288786Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:38.080{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5F2305C756E51C12B52F19379574EFE6,SHA256=0C79CE9DF3C40610516BE0CC8AA60023C9F5D295D37994973CD6066578B6F9D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288818Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:39.439{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAEC03B00087D4A52FF2F0EA71CDE44C,SHA256=2FAE78AB06F31BDF49E448145FC8A8BE009B93452A1464D0A68D8EEC7A600C1E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288817Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:35.570{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61593-false10.0.1.12-8000- 23542300x80000000000000001382672Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:39.158{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6261A390A63DF0C7F94D0CAB1576A93,SHA256=8819FE376CB45315B51B713007BB808A628307A3D20B48877517D9F516D31EB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288816Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:39.236{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BA6A3AE18BBB2672B977A1631FBAB8EF,SHA256=B2DBEBCC0E39190C17633E37DE1BD323CDBD9D4060572B841E7398AAF6F0B035,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288824Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:40.439{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B8307255B5AA87391DDCB8D1A111181,SHA256=082BB8689C92D96D2A0F8DC9FF0E2CD5B03DB8F6A4BE4E58705018414635EC92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382673Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:40.189{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E223F195FC721C2B180C8CFD3C0DB81D,SHA256=CBC65DF012E599BF1032D31ED6044B6927E3D33B5BC624C31C6F01729552895F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288823Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:37.704{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-25008-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288822Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:37.682{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-24730-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288821Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:37.645{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-24475-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288820Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:37.608{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-24303-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288819Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:36.465{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-16325-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288855Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:38.743{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-32126-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288854Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:38.706{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-31724-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288853Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:38.672{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-31452-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288852Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:38.633{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-31234-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288851Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:38.578{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-31041-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288850Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:38.511{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-30842-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288849Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:38.488{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-30566-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288848Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:38.452{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-30377-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288847Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:38.430{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-30046-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288846Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:38.392{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-29895-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288845Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:38.369{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-29649-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288844Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:38.332{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-29369-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288843Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:38.295{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-29094-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288842Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:38.258{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-28926-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288841Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:38.235{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-28748-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288840Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:38.212{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-28493-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288839Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:38.177{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-28342-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288838Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:38.152{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-28118-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288837Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:38.129{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-27944-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288836Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:38.106{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-27660-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288835Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:38.067{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-27407-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288834Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:38.032{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-27265-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288833Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:38.010{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-27101-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288832Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:37.987{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-26978-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288831Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:37.965{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-26778-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288830Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:37.922{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-26319-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288829Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:37.825{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-25823-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288828Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:37.787{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-25612-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288827Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:37.764{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-25296-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288826Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:37.727{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-25143-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288825Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:41.486{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DC5E83C5E6BA6EEBD18242C329A214F,SHA256=AD8EB852A00F3EBE72DBDF35D421181AF7B25AC2C482DA37874987B14F55929A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382674Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:41.203{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2224099C345F6738C472B8FEF5D8D5D,SHA256=F46E3B5D2AAEFDEC45A124A89F1DDDB45BE0E193B9AA2B78C54BDC0954BE20D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288870Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:42.861{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36EC666FE02E930D766CB89E2B0E6B71,SHA256=5964F22DD7963B00AB17F85293D772ABCBB7576D06C5C569A8E06364B8FA5C3D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288869Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:39.143{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-35497-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288868Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:39.119{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-35261-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288867Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:39.094{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-34953-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288866Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:39.056{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-34756-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288865Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:39.032{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-34588-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288864Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:39.006{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-34324-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288863Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:38.968{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-34074-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288862Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:38.934{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-33939-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288861Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:38.910{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-33776-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288860Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:38.887{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-33514-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288859Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:38.849{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-33353-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288858Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:38.827{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-33057-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288857Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:38.790{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-32866-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288856Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:38.766{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-32662-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001382675Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:42.221{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C425219C2D6531FF4C44C4633D0AB91,SHA256=996DC826D1935C2C01B96A69DA713BCB4AFD83EE7A2D1B36C4C07CE0B1802F4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288871Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:43.783{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C913298F1102E34836FFE0971DE46C53,SHA256=4E44183ECF18FDF27EDE2C547576417BEA365A4390050FACB802D7D53F83724C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382680Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:43.011{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local51337-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001382679Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:43.011{5EBD8912-8CD0-6151-2800-00000000FD01}2200C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local51337-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 23542300x80000000000000001382678Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:43.239{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0D0C494186F44669EBD01A05A29DC07,SHA256=D2141CA50157650A6C964894516A1559DC1B36C42370FCA07182B8A5E5529951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382677Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:43.040{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FD2DAB077AAD8AEF277986D9E322A5DC,SHA256=54675472E51C402F41B18FA72C2FCC10CABC2DE5A61B1653A434795F075D446E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382676Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:43.040{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D2B52402AC86FC712E31D48E6DAD027A,SHA256=EED92D9AF1A6E43DAA0CBD601ACF6C0EA046268E21AD8D114E65761F19E7B7FB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288874Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:41.572{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61594-false10.0.1.12-8000- 23542300x80000000000000001288873Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:44.814{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58CDE418E3ACA045F74CC3678F9E3FC9,SHA256=E88FD8BDA5D570329D8402411630B5D1CA13845C64CB198631737D70FF21BDDF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382682Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:44.110{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51338-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001382681Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:44.242{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AFD58D3AD3015ECF744264BDA6F9DFB,SHA256=521EE53C1E26498FC6D29824BD937222C6E85771D330E066318D1A8E5BD2A504,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288872Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:44.251{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=5BC4D51E332EB278AB664607447F7135,SHA256=5628475D7DA964E8F2DB8A753CDA77303994421C3A993CC2B7F98E2576C47DDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288875Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:45.830{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F660D492C326CFFB009C2E4E570173C2,SHA256=365C85509C9C0042D8832F87EEAA589BA8A09D2B7696744267B4B4C41698D290,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382683Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:45.256{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A6DB88B23A1E114B538C43E2CEE8013,SHA256=59F508C54E3E6B5C99EBA59784B843CCE84FB175F7FCBEB6683895E24DC7BCFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288876Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:46.955{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=622DEF4369766510D8DB1B8D0A96EA1D,SHA256=7E9CE60E52C70D6265CEBFDE11F586A3F4C8FB23D89E0F0C170F4A7509113983,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382684Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:46.271{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFFB3A3B342477CC879EF714B61C07D5,SHA256=D4BAD8C4B5C0E83C00065FB9D74E7BE1CA276A7BE6ABAC7EFF9CA61FC072D55A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382686Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:47.523{5EBD8912-8CD0-6151-3000-00000000FD01}1956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382685Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:47.301{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19F887CBB02DA1EC45595CC12DAE672D,SHA256=57D6C492EDA2E6A38402CB7944E08F4F3F3473B6034AF4DC653A4574E0B6E8C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288877Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:47.001{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382687Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:48.319{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=534249906EDEC9CB2DDAAADE1AD7BA13,SHA256=EA5584CE0986FFE66F8895557D48279EF61D09E8897B63FB0A49471CCE70C7DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288878Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:48.017{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7C546B757DB27CDC3C0CC7EF881E93F,SHA256=07B171D19333F95A09A4B1315418D059B448DBCA1F1B35A654EB2CAA039E21C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382689Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:49.337{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1CBEEEA785A75383AB569300E2C080F,SHA256=ACF54444CAC70C7E5143F5DC9E6674B02769FCB66AA49D5BA5772ADB6F176367,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288880Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:45.340{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61595-false10.0.1.12-8089- 23542300x80000000000000001288879Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:49.048{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B13A0643EF8CCBE072C42755DD3733E,SHA256=CB154FBA574B310AC1ED153FC52720C5213FD8E8E24809D57BC5B5336E4CF68B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382688Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:48.509{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51339-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001382690Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:50.352{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FB8311B836EA69302D7E83AC0829DF9,SHA256=EE363E092AE61AA7E416559A182C480A5F6A8354D60831A453CF11820D50AB09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288881Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:50.173{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=449CBA947B7AEB33C089CBDA1E850A36,SHA256=57A97D38CE1C01148B7B25B38C975C43872247E195489902F81533D198108FE3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288883Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:47.572{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61596-false10.0.1.12-8000- 23542300x80000000000000001288882Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:51.173{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F3ED2F84A33BAA2C712D7F0BAF14F61,SHA256=CC65D470E2BF15CE4B2A152F40ED6A8DEB4C7B0B357047E8CF02E859DCC43F94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382692Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:51.352{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=153CC58C6FB8C1DA8A335EDA48F35637,SHA256=B45068529E58ACF1DB604C792AB6DF6CF13E779314567AA7FD25C089ED8D86E5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382691Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:50.031{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51340-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001288884Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:52.189{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC58F284E34DE060ADEF818A4D424BA4,SHA256=05D4A2468956125C314B673B1B66784B3FFC39C19E12ECC6AA99BC9A8C06BC7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382693Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:52.367{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99A41A932B6B22106550E2BB08C6B3C4,SHA256=F3F763A36FD0974CE49E0F16E30A24AF507CE0596E959EBDADA15DDA1D756197,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382695Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:53.887{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-54261597-false10.0.1.14win-dc-429.attackrange.local49672- 23542300x80000000000000001382694Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:53.382{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=320AC63D8BF1C40B2D589D386772E5A3,SHA256=1A30863CE29662A994B3B99F3237D6798014E7A691D68A76D51C5824F4B2A5B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288888Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:53.863{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CD159363F259E99A16980C1CC997DBD7,SHA256=A764B1915E529E2E382AA2331A03B5192BAFC466F3E5A734DAA51BA2A636E3E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288887Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:53.863{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=575A74E2632120F158F0EEF0278E79BA,SHA256=B0E55AA5820D174D8DE0A390D2046370BA8030AB6E7C7667831B2DEFDBA716AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288886Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:53.429{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-5711MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288885Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:53.410{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE75A40FC8B3470B92084A10B3AE9443,SHA256=DCE067F8E16E9DAE0FA4E748003FA25F77EEE162FA6E3D9BC4EEDC2ABC6DB8DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382696Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:54.398{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29A67E90423D0BA6DE1ED23D21CC7C40,SHA256=94974B10BAB31FA45312386BCA245D5BCF8078DB1AF34226494C580B15313D42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288891Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:54.444{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B17E611CD67338A9AECC7183C4A59AA,SHA256=BF36CA72757337ACAAF9C9157925DA8AB49BEE2A26AD9589BF93BABF5ACD3610,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288890Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:54.441{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-5712MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288889Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:50.962{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-32541-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288896Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:52.291{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-39764-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288895Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:51.209{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61597-false10.0.1.14-49672- 354300x80000000000000001288894Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:51.044{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-32963-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288893Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:55.445{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13884A98FB32D76360BF486AF40E77DD,SHA256=4CEBA8C9D24CB43C432C9C9F69D446B2AB92F76A398F69A8B707874B4534FDC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382697Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:55.414{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CF2C6A8DD797C09BFA3E3CBCAEA82A1,SHA256=840DC902F5CE93D763E8846A1BB351BADFC6BA689CAB83D36AD9C5EF87E80DFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288892Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:55.117{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CD159363F259E99A16980C1CC997DBD7,SHA256=A764B1915E529E2E382AA2331A03B5192BAFC466F3E5A734DAA51BA2A636E3E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288899Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:56.461{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC68C715D3E7883C5B15F5450C3BEA2F,SHA256=5FD3BF4B55A4703084C19CDD972BE6A7C9691A82290FEAACAC72E6FEBB15FA14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382700Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:56.435{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=616FF78FC9DFF3DB68B9402AD1BFC6D4,SHA256=CCC31B6203B695BB5E4FFA152B057ACA2D45F8AA782A740E7FC1D810FB869A14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382699Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:56.435{5EBD8912-8CD0-6151-2F00-00000000FD01}2544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210927092018-1394MD5=418358CD28D1B50422280074BE968B1D,SHA256=C8286C1C0A91E4E2C2FF9D12E0FDD08F235EAD61265C1678C815B6AB5A1254BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288898Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:56.367{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1442B9283E74EB16E2E13D315B387D22,SHA256=A8D69DF0DE1BC8926D4C7692FA63FE275B4F629720E8F42FCB73DF35BF715862,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288897Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:53.421{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61598-false10.0.1.12-8000- 354300x80000000000000001382698Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:55.059{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51341-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001288902Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:57.663{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=02048522F5CDA933935AC5A61A897142,SHA256=562FF74F76822DAA00194949A5A8E2FCB049A375831F93BB2D9EE2E8B059C526,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288901Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:53.546{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-47108-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288900Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:57.476{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F068C6B9E5F12B0205A76C3424C02D79,SHA256=6E666D26BC63286524D4A78022B2187F7D703FA852E8389050C86FBF47476E31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382702Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:57.450{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B81943A93AE1316DC3D8EC795672270A,SHA256=AD6C399513DDD2B161B8FF45AC340EBB674C98A5E43EF1AC1C5B570441FB8E08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382701Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:57.448{5EBD8912-8CD0-6151-2F00-00000000FD01}2544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210927092016-1395MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382703Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:58.464{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7D4C10B54F458C00C62AEF9F0A39543,SHA256=4BA9C8EE2F696DEE257C8BBC571326EF66FA053A653DEFA1D74001B9E29FBE76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288905Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:58.975{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=525934EB7CAE460ADC355E28053F4D3C,SHA256=B83D5654AC223C30560FEE300600334A1D675ED6376CC1C61D430AC0AA837C84,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288904Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:54.794{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-54203-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288903Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:58.491{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9190D94228B99DCD582789BFDF45B593,SHA256=44BBAD94AE25078866C0B88DAA457DFCDB55426BC38A8AD9573DE96DA27C0043,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382704Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:59.495{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=706ACD15C926CA3A18B478AFE7B300E5,SHA256=2DA819454112203A7A3D5A5AA8D5EDC4C5219023021D65E7E9C95BB09DCA482D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288907Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:56.090{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-2150-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288906Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:59.507{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DA9B128808F7AAFB0E834EEE5D25A1A,SHA256=0F7E96F91AAFAC30A666A7F01305CC6FD55498273C91E7BD7B5A0199FA400519,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382705Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:00.532{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F53F8D353D38686652B2666A6003D3F3,SHA256=947E5870352BCEC0C1A6D2547A4B576BF4D56BC492CFDFDF461801704CFBBBD6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288910Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:57.513{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-9801-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288909Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:00.507{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6452F3160A4710FF31F41E38B8963BC,SHA256=5583352872C52C72775DE43CFDA4DA8F17F4C7BE73371B09BE7C4E0B200EB173,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288908Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:00.335{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A5AB8E37D76134E44620DCFBBB7AF8BA,SHA256=5D35B4790B4DE88178728120BFB2226369901E636497A5DA17DA46C5224121EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288912Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:01.585{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=57E554CFBE11BF37A411D20CB261C75F,SHA256=371525817E0EE3FDED29CCC57421119A9B4273AEED022DD9DC642D46296DED79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288911Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:01.522{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47F46B651AB4F329F6192917CA457AFB,SHA256=4A2572FEF4B87B059F622DA57806E06C02131D19070C3526DFC17498C1148F37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382707Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:01.546{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA7291FFFDFA4B82DD3D9CF7683CDBD1,SHA256=FC7430D2CFDF64330AF34202F04E36DEBE7D38DB7097699D2DA4BF95AD74B0EC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382706Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:00.087{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51342-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001382710Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:02.576{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A218A9AE74259887A999B36C86BEE33,SHA256=1EA85A4CA4D3FBDDF37E30436CCA70FA725644F6B451CCB5469C14BC0CE7B890,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382709Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:02.576{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FD2DAB077AAD8AEF277986D9E322A5DC,SHA256=54675472E51C402F41B18FA72C2FCC10CABC2DE5A61B1653A434795F075D446E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382708Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:02.561{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33415C0BAE0E7E3E0FA19AB5C141C84C,SHA256=64690472355FADF371DD6D42B7F262203789F3429F8AD73347060AB2580095E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288917Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:00.014{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-24053-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288916Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:59.436{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61599-false10.0.1.12-8000- 354300x80000000000000001288915Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:58.760{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-17103-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288914Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:02.835{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=78FED36C4CACAD4A2A6559E13207F8CA,SHA256=986EC69668670E590D18E5F836D40E597C9714E3AE0C230205C1754D8C1F2AE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288913Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:02.538{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB2A172E66C57A9E5D4AD8BADCE97E5C,SHA256=3741F7B87D99CD2381250147E7CBA2471BF39556BAC8BD69A44F69A2335FBEB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382714Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:03.710{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A218A9AE74259887A999B36C86BEE33,SHA256=1EA85A4CA4D3FBDDF37E30436CCA70FA725644F6B451CCB5469C14BC0CE7B890,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382713Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:03.575{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2FF6C21F50F1C1F98049DF6FFA85A79,SHA256=59717A4AFB7572CF97F4E90C464BFEE9E4A550348A6C7D907CD6829F3F7AB0F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288918Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:03.538{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA1691D40567A8F488D59D3CAF75D824,SHA256=1139BB257273C67A2D5EF7A968D8FD37D00B7BB6C76D8E3ABD39295792BAC62C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382712Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:02.515{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-45152-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382711Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:02.491{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-44970-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001382717Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:04.791{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A0EBCB0C974E823152710A8E017E208A,SHA256=C85E0ED6A64A259330174A4F007667CE2E37A99162D86AD17B788E94D5670A46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382716Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:04.591{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75BE8E40072B7EFEA5F0DE626EC0902C,SHA256=AC6EE8406B20C260AA782F9970BF872DEE853D68CDBC25C6F2BE62CA82384B65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288920Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:04.553{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8894F6856A0F611845EF59EDA2C94E6,SHA256=CCB3CA8672FA07E14E50BE0A60A90D2E6ADCADBDBA9BEDD4C7F6006E8D551B04,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382715Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:03.604{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-49373-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001288919Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:04.085{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8686279D98DDEB4797FA39C160A93B1A,SHA256=9D089F4A972E63D55A3C66D60C996B84FD2D3002DB17303CBFA2CC32DC565D9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288922Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:05.569{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9574F7DBF51CF17FF890F5135CDC1BF0,SHA256=E4197010FC26340B1BFCA032736A8A7E12BDFFA8AE34E255B950F5D7BCBEB7F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382719Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:05.609{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4E9063C6488E5D6B3388BA19973457F,SHA256=63B17BAFE22AF96C036CB07A1ACE111E883437C4F4F8103028222C795895BB00,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382718Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:04.721{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-53922-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001288921Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:05.335{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B0D57A9B50767399671378DB253A47E5,SHA256=08F42D975BD77A84CC6B3C8082FABC9646DBA17FFA27CF641AD7BE26C210978A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288926Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:06.600{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A322D277BE30A8A6B8A76C830DA63B37,SHA256=26EE2E674DD4C399AC252D4E4F048417EC82BA798CABA214DD950D79DF0EBEA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288925Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:06.585{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FB7170CEA185079C6CFBBDCB455C817,SHA256=D5D63AC3071C34F86F7A2905D336AEAEA169F3E1BF4D4F84D21FB338EC0DC3C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382723Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:06.627{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E475B71CB551A752809A242AAC820491,SHA256=D6D432C9BDF238B090F9EDA917E5E0B7780304D8FE2EA70406D12CCB71795664,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288924Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:02.511{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-38394-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288923Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:01.262{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-31362-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001382722Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:06.036{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51343-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001382721Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:05.959{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-58344-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001382720Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:06.043{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7FBDFDAF0FD5713C9DBC823476B26A35,SHA256=328E86152798A22E4957388BBF264FBAE0DB934C115A881FD4A101071D0915E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382725Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:07.641{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1DD860C570FECA64BC4667FA86B7136,SHA256=0AE6F3C047D0636B46975F62D5215D900F6839D677ABE9F65B10751CFE3148F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288928Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:07.897{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=470177FDAB5BC284BC1235C2C9499463,SHA256=71380943A914FD09188C7BDCA9456F240803543B344A5D134C334FEA9CCE96A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288927Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:07.585{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F337B9822F8103DB1C2AC59BDD52B1BF,SHA256=246E6AE6E6F58E299376B6C730A74F03144D8EBE020E44B3DA1827BA20FCD72A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382724Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:07.142{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=07887DCE8AD24856B806DE4DE7CA424A,SHA256=82A180CF2F59756CF83BA80196A061813731729940499FC3C0843D1DD8E46DF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382730Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:08.672{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB57BB82ADFF20A94BA039749476FB93,SHA256=1AB987D40A434C22EAEDE191AD6CBB2DC1016318E9D5AB23864C28D8A117B7A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288931Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:08.600{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DD10496F13F15D700C23517F6C02C57,SHA256=14D29CDB2027FE295D19F9D0CDF3D8014E1D7FB2B6BA7730C86CD54811F09AF9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382729Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:07.426{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-19096-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382728Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:07.401{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-18944-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382727Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:07.065{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-4105-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001382726Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:08.226{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=11E80BA12A4728F819E155B02B6EDD27,SHA256=D9B036C1281C4B426949EBD6569DD0D1DFE13D7EE689B077E289AC4E0A101E76,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288930Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:05.029{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-52246-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288929Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:03.774{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-45081-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001382734Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:09.687{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=114F956CF9E617D84F9C99ED60B573AE,SHA256=DA9EB928ABEAF68E080F70407941EA4CA92B620EA684C01C1AC4DEF2AFD5E8E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288935Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:09.616{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82555D500922E57902D444EB3AA0437D,SHA256=07D3D00FD0FA681EAC032D1A0398AAC68D52E433C52E34E7A894CCB475DFA8F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382733Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:08.501{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-26343-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382732Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:08.155{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-8485-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001382731Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:09.356{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E57BC1EEF6A12335D26C99895BA0FF62,SHA256=2644A3D7B2495EFD7ADD65920BCA63333D231A46930C23ABA021A4B137B02849,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288934Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:06.342{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-59811-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288933Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:05.405{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61600-false10.0.1.12-8000- 23542300x80000000000000001288932Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:09.178{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1ADB39254414D2FB859FB4F8E4211320,SHA256=D511233DE6436D8C42AC936FE9C210D9F03A8E740D7762B493D1137E916BAAA9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001382753Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:10.886{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DC2E-6152-4428-00000000FD01}6768C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382752Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:10.886{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382751Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:10.886{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382750Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:10.886{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382749Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:10.886{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382748Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:10.886{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-DC2E-6152-4428-00000000FD01}6768C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001382747Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:10.886{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DC2E-6152-4428-00000000FD01}6768C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001382746Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:10.887{5EBD8912-DC2E-6152-4428-00000000FD01}6768C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001382745Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:10.771{5EBD8912-8CC0-6151-1100-00000000FD01}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=6CED70BD12CAEBE01F1ACB47996340B9,SHA256=AA6D10D581DBC6F9657642CA9D387C150D82063008A54D9D117B7B2FFBA52307,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382744Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:10.706{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B382A1AB8E2C77E22F36D1AAE86C7E5,SHA256=A87871D0840994F907E25800E7E0F6CBDBD5295DE87426D9ED8632D07CF294C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288937Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:10.631{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C209C5C51F49E6EB26AE633AB784634,SHA256=F63FBFBDDCBDFBADF317A53DA9AF1620B97D5C61145B873B97B6F9F8E2450884,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382743Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:10.487{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C695695FEBE22D1414A0699AE6949994,SHA256=55C46B67FBED3480A6D351DB2932F2B6D6458649558E727ECE8F2AF5B7E9C364,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001382742Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:10.209{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DC2E-6152-4328-00000000FD01}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382741Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:10.209{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382740Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:10.209{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382739Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:10.209{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382738Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:10.209{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382737Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:10.209{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-DC2E-6152-4328-00000000FD01}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001382736Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:10.209{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DC2E-6152-4328-00000000FD01}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001382735Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:10.203{5EBD8912-DC2E-6152-4328-00000000FD01}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001288936Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:10.428{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=272679BAE9657D357E038A20A81865A3,SHA256=6AD14165FC95A393679052F263C9C53AC9D416E0BD7E02DA03D300050934F84A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001288965Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:11.991{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288964Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:11.991{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288963Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:11.991{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288962Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:11.991{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288961Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:11.991{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288960Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:11.991{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288959Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:11.991{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288958Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:11.991{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288957Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:11.991{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288956Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:11.991{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-DC2F-6152-3BA1-00000000FD01}1520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001288955Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:11.991{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DC2F-6152-3BA1-00000000FD01}1520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001288954Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:11.977{69CF5F33-DC2F-6152-3BA1-00000000FD01}1520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001288953Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:11.680{69CF5F33-DC2F-6152-3AA1-00000000FD01}17962952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001288952Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:11.650{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7E1E699A34B96EC8F289309240BD5DB,SHA256=87238A9BACEA504DA3AD61D3B1870A211F066950CAB54250A16C0EA1876B0E95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382762Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:11.723{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=319FDBBEEC1B3C8E981CD792E102897F,SHA256=F4BFFF58D917A79A259D3A45BB023099CDB945B2CAC85B91B472C816C63192ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382761Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:11.605{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8905F5067F8EF1A282F37733A1A6E704,SHA256=C62AE554C1C2707FF9D0AAF094C5ABC972728EE68FE26517C16EB892C6F9F8E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382760Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:11.048{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51344-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001382759Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:11.012{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-43183-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382758Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:10.384{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-17335-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382757Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:10.228{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse210.245.92.42-57534-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382756Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:09.707{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-34407-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382755Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:09.254{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-12855-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001382754Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:11.108{5EBD8912-DC2E-6152-4428-00000000FD01}6768136C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001288951Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:07.606{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-7895-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001288950Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:11.366{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DC2F-6152-3AA1-00000000FD01}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288949Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:11.366{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288948Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:11.366{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288947Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:11.366{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288946Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:11.366{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288945Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:11.366{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288944Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:11.366{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288943Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:11.366{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288942Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:11.366{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288941Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:11.366{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288940Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:11.366{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-DC2F-6152-3AA1-00000000FD01}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001288939Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:11.366{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DC2F-6152-3AA1-00000000FD01}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001288938Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:11.351{69CF5F33-DC2F-6152-3AA1-00000000FD01}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001382773Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:12.807{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DC30-6152-4528-00000000FD01}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382772Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:12.807{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382771Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:12.807{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382770Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:12.807{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382769Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:12.807{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382768Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:12.807{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-DC30-6152-4528-00000000FD01}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001382767Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:12.807{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DC30-6152-4528-00000000FD01}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001382766Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:12.801{5EBD8912-DC30-6152-4528-00000000FD01}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001382765Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:12.753{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70EF406CFD844A7D706A52AED3337C6A,SHA256=21F6F020F3533E19CECCE8AFFD94F85FEC481D4D897BA338DA9CE8190DD5DB6A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001288983Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:12.678{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DC30-6152-3CA1-00000000FD01}1192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288982Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:12.678{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288981Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:12.678{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288980Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:12.678{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288979Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:12.678{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288978Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:12.678{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288977Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:12.678{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288976Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:12.678{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288975Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:12.678{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288974Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:12.678{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288973Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:12.678{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-DC30-6152-3CA1-00000000FD01}1192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001288972Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:12.678{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DC30-6152-3CA1-00000000FD01}1192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001288971Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:12.664{69CF5F33-DC30-6152-3CA1-00000000FD01}1192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001288970Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:12.663{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9835B669385F65B95F45D7B1BB565F1,SHA256=469F2CDA6ED1B1CE16D18DD574075232CAF186C7218CE12D2F1A1235E94D56B5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288969Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:08.870{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-14864-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001288968Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:12.194{69CF5F33-DC2F-6152-3BA1-00000000FD01}1520352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001288967Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:11.991{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D7D083BD9B03FF2430B4611CB6A15F7,SHA256=5C450AED2A44AEA1130526A9CB6CEEDC8429DAE9F4F72D430FE432BD94BC881C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001288966Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:11.991{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DC2F-6152-3BA1-00000000FD01}1520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001382764Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:12.722{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CCC341BFDC703FF7EC3573C741A77CF3,SHA256=36F089DE7BBED1B5A80D8CC3615D1DCBB58C59426CA12B56D095C359C02F8E93,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382763Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:11.499{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-21637-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001289012Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:13.928{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DC31-6152-3EA1-00000000FD01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289011Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:13.928{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289010Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:13.928{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289009Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:13.928{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289008Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:13.928{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289007Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:13.928{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289006Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:13.928{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289005Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:13.928{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289004Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:13.928{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289003Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:13.928{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289002Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:13.928{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-DC31-6152-3EA1-00000000FD01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001289001Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:13.928{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DC31-6152-3EA1-00000000FD01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001289000Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:13.915{69CF5F33-DC31-6152-3EA1-00000000FD01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001288999Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:13.913{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F43645EEA8955BCEAE3A21EDB5949ED,SHA256=D55EF5776602BE36F8335C50B8BF6DF33FA40DCC890E9E8D2644FFE5012E40DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382786Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:13.804{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5C66D3BEEBBA143E4242FB93D1B6CA8A,SHA256=7DA102B8A56593A3BE900F34D0392217BD57E7A0A340B7CB300726CE03C9EE01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382785Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:13.768{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD80B167D99710ACFA1ECAB8A40AB20D,SHA256=003B74674F7B8A89AEF45EEED5879559092DC3CA99540BC908D02CECF435DEA1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382784Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:12.626{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-26140-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382783Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:12.178{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-51292-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001382782Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:13.484{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DC31-6152-4628-00000000FD01}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382781Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:13.484{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382780Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:13.484{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382779Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:13.484{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382778Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:13.484{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382777Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:13.484{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-DC31-6152-4628-00000000FD01}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001382776Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:13.484{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DC31-6152-4628-00000000FD01}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001382775Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:13.485{5EBD8912-DC31-6152-4628-00000000FD01}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001382774Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:13.022{5EBD8912-DC30-6152-4528-00000000FD01}64166256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288998Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:13.522{69CF5F33-DC31-6152-3DA1-00000000FD01}34882688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288997Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:13.303{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DC31-6152-3DA1-00000000FD01}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288996Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:13.303{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-DC31-6152-3DA1-00000000FD01}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001288995Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:13.303{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288994Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:13.303{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288993Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:13.303{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288992Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:13.303{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288991Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:13.303{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288990Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:13.303{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288989Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:13.303{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288988Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:13.303{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288987Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:13.303{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288986Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:13.303{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DC31-6152-3DA1-00000000FD01}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001288985Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:13.289{69CF5F33-DC31-6152-3DA1-00000000FD01}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001288984Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:13.241{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=45BC69850FEB927749E4CC0ED9585A44,SHA256=DBDF1B727BE679708A9608B80DA77F62C08548D7068291A92C1F04816EF32B9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382789Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:14.884{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FDE9683D66E445CA115F7B32BA44C995,SHA256=C3D61CBE526AF15BBEC6DC48D3B5D5920EA61AE1E8E660DFF6C1FA84CA6653EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382788Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:14.784{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5ADA43861428EF77A1526B416DE21C8,SHA256=BB6F1E054BFF18525CDC8AFB8F9EAA27CC170534E14BFBE00EE62C26650BC8C4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289030Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:11.667{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-30104-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289029Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:10.592{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61601-false10.0.1.12-8000- 354300x80000000000000001289028Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:10.418{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-22804-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001289027Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:14.616{69CF5F33-DC32-6152-3FA1-00000000FD01}3512108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289026Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:14.460{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DC32-6152-3FA1-00000000FD01}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289025Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:14.460{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289024Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:14.460{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289023Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:14.460{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289022Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:14.460{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289021Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:14.460{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289020Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:14.460{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289019Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:14.460{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289018Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:14.460{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289017Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:14.460{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289016Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:14.460{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-DC32-6152-3FA1-00000000FD01}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001289015Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:14.460{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DC32-6152-3FA1-00000000FD01}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001289014Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:14.429{69CF5F33-DC32-6152-3FA1-00000000FD01}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001289013Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:14.397{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A2BCAF3039ED5A7043DDED1D3CE98E5,SHA256=1A3EDCD3964EAD1678BF7A602D143BDAE9C3E9078FA047DEE2C3EE2D440DAC66,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382787Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:13.317{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-59469-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001382793Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:15.967{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=26C03BB9FF0875317EB0B824039D27D2,SHA256=A456B2931F9B5A08B102BF55103B62177822B6982D2F7E4ADA8ABD8E81B63554,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382792Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:15.804{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5207B739DE19359D02B3496886E4F15F,SHA256=FC10B9EE170981F3DE30F1A565425BB93C8EB605CC229D3629A0B4B42C8E9391,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289032Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:15.460{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=17ACB423C36AB344A725A7BCB8DCA912,SHA256=59BDE64431C45C8CA748BE6A25FADB179B8F7252AB98FC54D19B9813A7D98B04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289031Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:15.163{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=880DB52A92BF58B3EA049E9388E56D55,SHA256=EBD3412F676D691F5FF81D182CB5AB3CD9F6C55F9A0C591382D7DE44DFF7D5A2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382791Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:14.408{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-7665-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382790Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:13.735{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-30580-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001382807Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:16.835{5EBD8912-DC34-6152-4728-00000000FD01}58486448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001382806Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:16.822{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D28F9D46BE30506C8B8DE4D832D78173,SHA256=3A8E2E6588D18FC9327489011F41AF8DB9AEC4E75F4FAEE85B67278D496D38CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289034Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:16.991{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FFE68DB8CA84E187293907D10BEE788E,SHA256=C006D093C6A26B13EE36A7512B2E3A3122C4BCA87454919F3515328E03236FD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289033Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:16.397{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94FD2E1D46BCFAFB6CBDD6BFD3A43155,SHA256=8067F24D62B945EB400873BCBA3ECE4639EFA0D461EA5DBB809A7AFE351208E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001382805Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:16.604{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DC34-6152-4728-00000000FD01}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382804Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:16.604{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382803Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:16.604{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382802Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:16.604{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382801Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:16.604{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382800Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:16.604{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-DC34-6152-4728-00000000FD01}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001382799Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:16.604{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DC34-6152-4728-00000000FD01}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001382798Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:16.599{5EBD8912-DC34-6152-4728-00000000FD01}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001382797Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:16.551{5EBD8912-8CBD-6151-0B00-00000000FD01}6406104C:\Windows\system32\lsass.exe{5EBD8912-8CA0-6151-0100-00000000FD01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000001382796Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:15.897{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-39328-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382795Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:15.601{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-14487-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382794Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:14.813{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-34847-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001382820